How can I enable arbitrary users to edit files in '/opt' sub-tree?

Question

I am user 'somebody'. I have a typical "Web blob" website ecosystem ( essentially an FS sub-tree starting at Apache's typical "htdocs" directory ).

Its files are owned by 'root', and grouped to 'daemon', for Apache to read and / or execute, while 'root' can also write to them ( they live in '/opt', typically populated by scripts or "installers" invoked as super ).

As 'somebody', I want to create a git repo right there ( in "htdocs" ), to track configuration changes, etc, but I don't wanna run 'git' as super ( I try to avoid running stuff as super where possible ). I don't want to chown / chgrp the files to my username, because arbitrary users shouldn't be mucking about in '/opt/...', right?

So I thought -- why don't I add myself to 'daemon' group, and enable group-write on the files? Isn't that a bit cleaner? But maybe it's not wise to make a regular user part of 'daemon' group, or maybe it's not wise to make 'daemon'-grouped files writable -- I just don't yet know why.

Is there a recommended way to give 'somebody' write access to things that live in '/opt', owned by 'root', and keep them read-only for stuff like Apache in daemon mode, without resorting to ACLs? I don't think so, but I am not a smart man. :-D

( This question is related, but didn't really clear it up for me: User Permissions: Daemon and User ).

Answer 1

The nearest I figured was moving the contents of "htdocs" somewhere else ( in this case, since 'somebody' is the only intended editor of the site, I could park the goodies in eg. '/home/somebody/some_website-htdocs' ), and then create a symbolic link from the original location pointing to the actual files. Then I can re-own the files to 'somebody' to provide write access, and everything else stays the same ( Apache can still read / ex via group 'daemon' ).

Supposing that makes sense, if I wanted to then extend editing to a number of users, maybe I would create a 'web' user and group, move the "blob" to somewhere in '/home/web/...', link to there instead, then add 'daemon', 'somebody', and any other users to group 'web', and re-mode the files to be group-writable.

This level of control is probably all a bit umstaendlich, but a better answer will probably teach me ( and others who find this question ) a good deal about permission management.