ACLs let you say: “This specific user can read here — without touching owner/group logic.”
1️⃣ Ensure ACL support (usually already enabled)
Check filesystem:
mount | grep ' / '
If you see acl → good.
If not (rare on Ubuntu), remount with ACL (ask if needed).
Install tools if missing:
sudo apt install acl
2️⃣ Grant read-only access to browser
Assume folder:
/data/shared
Run:
sudo setfacl -R -m u:browser:rx /data/shared
Meaning
r → read files
x → traverse directories
❌ no write
3️⃣ Make it persistent for new files (VERY important)
Otherwise new files may become inaccessible.
sudo setfacl -R -d -m u:browser:rx /data/shared
-d = default ACL (inheritance)
4️⃣ Verify (don’t skip)
getfacl /data/shared
You should see:
user:browser:r-x
default:user:browser:r-x
Owner permissions remain unchanged.
5️⃣ Test as browser user
sudo -u browser bash
cd /data/shared
ls # OK
cat file.txt # OK
touch x # FAIL
rm file.txt # FAIL
If any write works → stop, something is wrong.
Why this is the RIGHT model for your requirement
Requirement chmod/chown ACL
Keep owner untouched ❌ ✅
Fine-grained per-user ❌ ✅
Safe for programs ✅ ✅
Auditable ⚠️ ✅
getent group
cat /etc/group
cut -d: -f1 /etc/group
groups
groups username
id username
getent group groupname
sudo gpasswd -d username groupname
sudo delgroup --only-if-empty groupname
No comments:
Post a Comment