Advanced Linux Permissions: chmod, chown, and Access Control Lists (ACLs)
Standard Linux permissions follow the UGO (User, Group, Others) model. While sufficient for basic web hosting, complex production environments on a Hovixa VPS often require more granular control. This guide covers the technical implementation of standard permissions and the use of Access Control Lists (ACLs) to grant specific rights to multiple individual users or groups without altering the primary ownership.
1. The UGO Model and chmod
Every file and directory has three sets of permissions: Read (4), Write (2), and Execute (1). These are applied to the Owner, the Group, and Everyone else.
Symbolic vs. Numeric chmod:
- Numeric:
chmod 755 script.sh(Owner=rwx, Group=rx, Others=rx). - Symbolic:
chmod u+x script.sh(Adds execute permission to the user only).
2. Ownership Management with chown
The chown command changes the administrative ownership of a file. In a LEMP/LAMP stack, it is critical that the web server user (www-data or nginx) owns the directories it needs to write to, such as wp-content/uploads.
# Change owner to www-data and group to www-data recursively
sudo chown -R www-data:www-data /var/www/html/
3. Granular Control with ACLs
Standard UGO permissions fail when you need to give a second specific user write access to a file without making them the owner or part of the primary group. ACLs solve this by allowing you to "attach" a list of additional permissions to a file.
Implementing ACLs:
First, ensure the acl package is installed on your Hovixa VPS (sudo apt install acl). Use setfacl to modify permissions and getfacl to view them.
# Grant user 'tamir' read/write access to a specific file
setfacl -m u:tamir:rw /var/www/html/config.php
# View the advanced permissions
getfacl /var/www/html/config.php
4. Permission Matrix: UGO vs. ACL
| Requirement | Standard (UGO) | Advanced (ACL) |
|---|---|---|
| Primary Owner | Supported | Supported |
| Multiple Individual Users | No | Yes |
| Default Permissions for New Files | Partial (via umask) | Yes (Inheritance) |
| Complexity | Low | Moderate |
5. Technical Implementation Details
- Special Bits (SUID/SGID): The SGID (Set Group ID) bit on a directory (
chmod g+s) ensures that any new file created within that directory inherits the parent directory's group, rather than the user's default group. This is vital for collaborative web folders. - The Sticky Bit: Applied to directories (
chmod +t), the sticky bit prevents users from deleting or renaming files they don't own, even if they have write access to the directory (e.g.,/tmp). - ACL Mask: The
maskin an ACL defines the maximum effective permissions for all entries. Even if you give a userrwx, if the mask isr--, the user will only have read access.
Sysadmin Advice: When moving files between servers, standard permissions are usually preserved, but ACLs may be stripped unless you use specific flags (e.g., `rsync -A`). Always verify with **getfacl** after a migration to ensure your custom security rules are intact.
