group writable web folders with setgid and ACL

Often times, there is need for web-accessible folders to be set up so all web-developers have write access.

Along with setgid option, ACL can be used so anyone in the group "web-developers"
would have write privileges to anything under web-accessible document root.

So unless the acl privileges is revoked specifically, it would just continue to work.

To enable ACL, add "acl" option to /etc/fstab file for the corresponding partition and remount.

Edit /etc/fstab:

/dev/mapper/home /home           ext4    defaults,acl        0       2


# mount -o remount /home

Here is the commands to be used for the setup:

# groupadd developers
# chgrp -R developers /path/to/docroot
# find /path/to/docroot -type d -exec chmod g+s {} \;
# find /path/to/docroot -type d -exec setfacl -m g:developers:rwx,d:g:developers:rwx {} \;
# find /path/to/docroot -type f -exec setfacl -m g:developers:rw {} \;

Now anyone needing write access can be put in the "developers" group.

# usermod -G developers {username}

If you need the webserver to have write access to certain folders, then chown the location to be owned by the webserver, instead of giving write permissions to all.

# chown apache /path/to/docroot/apache

Syndicate content