from https://github.com/foobar167/articles/blob/master/Ubuntu/07_Website_software.md/#allow-write
Prepare webmasters
group:
# Check 'webmasters' group doen't exist
cat /etc/group | grep webmasters
# Create 'webmasters' group
sudo addgroup webmasters
# Add users to 'webmasters' group
sudo usermod -a -G webmasters username
sudo usermod -a -G webmasters malyshevvalery
# Group assignment changes won't take effect
# until the users log out and back in.
For webmasters
group give write permission to directories:
# /etc/systemd/system — to start services automatically
# /etc/nginx — for Nginx
# /etc/letsencrypt — for Certbot
# List ACLs
getfacl /etc/nginx/
getfacl /etc/systemd/system
getfacl /etc/letsencrypt
getfacl: Removing leading '/' from absolute path names
# file: etc/systemd/system
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# Add 'webmasters' group to an ACL
sudo setfacl -R -m g:webmasters:rwx /etc/nginx
sudo setfacl -R -m g:webmasters:rwx /etc/systemd/system
sudo setfacl -R -m g:webmasters:rx /etc/letsencrypt
# Check
getfacl /etc/nginx
getfacl /etc/systemd/system
getfacl /etc/letsencrypt
getfacl: Removing leading '/' from absolute path names
# file: etc/systemd/system
# owner: root
# group: root
user::rwx
group::r-x
group:webmasters:rwx
mask::rwx
other::r-x
sudo -u username touch /etc/systemd/system/test.txt # should work
sudo -u username touch /etc/systemd/test.txt # Permission denied
Give read permission to files in the directory /var/log/nginx
.
# There is read permission to the directory `/var/log/nginx` itself.
# But the owner of files in this directory is `www-data` and the group is `adm`.
ls -hal /var/log/nginx
total 560K
drwxr-xr-x 2 root adm 4.0K Aug 7 00:12 .
drwxrwxr-x 14 root syslog 4.0K Aug 7 00:12 ..
-rw-r----- 1 www-data adm 122K Aug 7 10:15 access.log
-rw-r----- 1 www-data adm 26K Aug 5 23:58 access.log.2.gz
-rw-r----- 1 www-data adm 12K Aug 7 10:09 error.log
-rw-r----- 1 www-data adm 808 Aug 5 10:32 error.log.2.gz
# So add user to the `adm` group to read files in the directory `/var/log/nginx`.
# Add users to `adm` group.
cat /etc/group | grep adm
sudo usermod -a -G adm username
sudo usermod -a -G adm malyshevvalery
cat /etc/group | grep adm