2.e. acl permission

setfacl, getfacl Fine-grained ACL permissions.

What You Will Learn

1. Understand what **Access Control Lists (ACLs) are and why they go beyond traditional Linux permissions.
2. Learn how to apply **fine-grained permissions with setfacl.
3. Use getfacl to view existing ACL rules.
4. Differentiate between **basic permissions (chmod/chown) and ACLs.
5. Apply ACLs to **WordPress folders (uploads, cache, logs).
6. Set **default ACLs so new files inherit the right permissions.
7. Troubleshoot conflicts between ACLs and traditional permissions.
8. Implement ACLs in **real-world WordPress scenarios (multi-user teams, dev vs prod).

Prerequisites

• **Access Level: sudo required for managing ACLs.
• **Software: acl package (install with sudo apt install acl).
• **Knowledge: Basic Linux file permissions, ownership, and directory structure.

5W + 1H Framework

Question	Answer
What	ACLs (setfacl, getfacl) provide per-user/group fine-grained access beyond chmod/chown.
Why	WordPress often needs writable dirs (uploads/cache). ACLs allow granting write to specific users/groups without loosening global perms.
When	Multi-developer setups, CI/CD pipelines, shared environments, staging/production workflows.
Where	Common in /var/www/html/wp-content/uploads, /var/www/html/wp-content/cache, and logs.
Who	Sysadmins, DevOps, developers collaborating on WordPress hosting.
How	Apply setfacl -m for specific rules, verify with getfacl, and set defaults with -d.

Key Commands Overview

Command	Purpose	Example
setfacl -m u:username:rwx file	Add ACL rule for a user	setfacl -m u:ubuntu:rwx wp-content/uploads/
setfacl -m g:groupname:rw file	Add ACL rule for a group	setfacl -m g:developers:rw style.css
setfacl -x u:username file	Remove ACL entry	setfacl -x u:ubuntu wp-content/uploads/
setfacl -b file	Remove all ACLs (reset)	setfacl -b wp-content/uploads/
setfacl -m d:u:username:rw dir	Set default ACL for new files in a directory	setfacl -m d:u:www-data:rw wp-content/uploads/
getfacl file	View ACL rules	getfacl wp-content/uploads/

ACL Syntax Structure

ENTITY:IDENTITY:PERMISSIONS

• ENTITY:
• u = user
• g = group
• m = mask (limits max rights for users/groups except owner/root)
• o = others
• **IDENTITY: username or group name
• **PERMISSIONS: r (read), w (write), x (execute)

Example:

setfacl -m u:devuser:rw wp-content/uploads/

Grants devuser read/write on uploads/.

Practical WordPress Use Cases

Scenario	Command	Outcome
Give developer write access to uploads	setfacl -m u:devuser:rwx wp-content/uploads/	Dev can upload/edit media without changing global perms.
Ensure web server can always write logs	setfacl -m u:www-data:rw wp-content/debug.log	Apache/Nginx can log without ownership hacks.
Default ACL for all new upload files	setfacl -d -m u:www-data:rwx wp-content/uploads/	Every new image inherits write perms for www-data.
Grant group access to themes dir	setfacl -m g:developers:rw wp-content/themes/	Dev group edits themes without sudo.
Reset ACLs if misconfigured	setfacl -b -R wp-content/uploads/	Clears all ACLs.

Command Examples with Expected Outputs

Add User ACL

setfacl -m u:ubuntu:rw wp-content/uploads/
getfacl wp-content/uploads/

Output:

# file: wp-content/uploads/
# owner: www-data
# group: www-data
user::rwx
user:ubuntu:rw-
group::r-x
mask::rwx
other::r-x

Add Group ACL

setfacl -m g:developers:rw wp-content/themes/
getfacl wp-content/themes/

Output:

# file: wp-content/themes/
user::rwx
group::r-x
group:developers:rw-
mask::rwx
other::r-x

Default ACL for Uploads

setfacl -d -m u:www-data:rwx wp-content/uploads/
getfacl wp-content/uploads/

Output (default section):

default:user::rwx
default:user:www-data:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

Remove ACL Entry

setfacl -x u:ubuntu wp-content/uploads/

**Effect: Removes ACL entry for ubuntu.

Reset All ACLs

setfacl -b -R wp-content/uploads/

**Effect: ACLs cleared, falls back to chmod/chown.

Benefits in WordPress Context

Action	Benefit
ACL on uploads/	PHP/webserver can write, devs can edit, no global loosening needed.
ACL on debug.log	Avoids “permission denied” without making file 666.
Default ACLs	Future-proof: new files auto-inherit correct perms.
Group ACLs	Team collaboration without 777.
Mask control	Fine-tune max allowed rights (safer multi-user).

Implementation Steps

1. Check ACL Support:

   mount | grep acl
   

Ensure filesystem mounted with acl.

2. Install ACL Tools:

   sudo apt install acl
   

3. Apply ACLs:

   setfacl -m u:devuser:rw wp-content/uploads/
   

4. Set Defaults:

   setfacl -d -m u:www-data:rwx wp-content/uploads/
   

5. Verify:

   getfacl wp-content/uploads/
   

Troubleshooting Matrix

Symptom	Cause	Fix
ACL ignored	Filesystem not mounted with acl	Remount with defaults,acl in /etc/fstab.
ACL set but user denied	Mask more restrictive than ACL	Run setfacl -m m:rwx file to widen mask.
Confusion after migration	ACLs not preserved by default	Use rsync -A to copy ACLs.
Mixed perms (chmod + ACL)	ACLs override chmod in some cases	Always check getfacl when debugging.

Quick Lab

cd /var/www/html/wp-content

# 1) Give dev user rwx to uploads
setfacl -m u:devuser:rwx uploads/

# 2) Give www-data rwx to debug.log
touch debug.log
setfacl -m u:www-data:rw debug.log

# 3) Set default ACL for uploads
setfacl -d -m u:www-data:rwx uploads/

# 4) Verify
getfacl uploads/
getfacl debug.log

Expected Results:

• uploads/ shows ACL for devuser and default ACL for www-data.
• debug.log lists user:www-data:rw-.

Cheat Sheet

Command	Purpose
setfacl -m u:USERNAME:PERMS file	Add user ACL
setfacl -m g:GROUP:PERMS file	Add group ACL
setfacl -x u:USERNAME file	Remove user ACL
setfacl -b file	Remove all ACLs
setfacl -d -m u:USERNAME:PERMS dir	Default ACL for new files
getfacl file	View ACLs
rsync -A	Preserve ACLs during sync

Mini Quiz

1. Whats the difference between chmod and setfacl?
2. Why might you prefer ACLs over 777 for uploads/?
3. How do you view current ACLs on a directory?
4. Whats the role of the **mask in ACLs?
5. Which rsync flag ensures ACLs are preserved during migration?