Allow writing to a directory for an unprivileged user using linux acl (setfacl).


Allow the user gitlab-runner to write to /var/www/

setfacl --recursive --modify u:gitlab-runner:rwX,d:u:gitlab-runner:rwX /var/www/
  • The d:... syntax means “default”. This way, new files and directories get the ACL too.

  • The X in rwX is uppercase, meaning, that directories get execute, but files do not.


The user caddy should be able to read anything in /var/www/:

setfacl --recursive --modify u:caddy:rwX,d:u:caddy:rwX /var/www/

Show ACLs#

getfacl /var/www/

Delete ACL#

For example the write ACL above:

setfacl --recursive --remove u:gitlab-runner,d:u:gitlab-runner /var/www/

Note that the mode (rwX) is not present for removal.