The /etc/sudoers
file is what you'd need to edit, and you'd use the visudo
command to edit it.
chmod
is indeed used for file permissions, but you can also use SELinux or AppArmor for more access/role/action based permissions (aka Mandatory Access Controls) instead of just limiting yourself to file permissions (aka Discretionary Access Control). There's also udev rules (for device/sysfs access) and PAM (Pluggable Authentication Modules). Then there's cgroups and namespaces for process limits and sandboxing. Really depends on what you're trying to achieve.
But is there any reason why you're looking into micromanaging service permissions? Most users, or even power users wouldn't need to touch that stuff at all.
If it's in a corporate environment, you'd already be running something like SELinux or similar and you'd apply a baseline security profile that meets various compliance specs. Very rarely would you have to mess with permissions of a service.
If this is for personal stuff, you'd just make use of multiple user accounts (if it's a multi-user system), or just sandboxing (containers, flatpak etc) to run untrustworthy stuff like web browsers. None of this stuff would require you to touch chmod.
Okay so that's different.
nginx only runs the master process as root, but the actual worker processes already run under a low-privileged account called
http
. If you want to run the master process as well as non-root, you can follow the instructions here: https://wiki.archlinux.org/title/nginx#Running_unprivileged_using_systemdTo restrict access to files, you'd be editing the nginx config file, you can read on how to do that in the nginx documentation, or check ServerFault etc.
But the modern Linux world revolves around containers. There's an official Docker image for nginx that you could use if you'd like, and that'd make it a much more secure - and portable option.
Also, I'd recommend checking the Arch Wiki first for anything Linux related - the wealth of knowledge and documentation there is unmatched, and is useful even if you're not running Arch.