Two system services need write access to the same directory - How to correctly set users/groups etc to permit access securely?

chrestomanci

5/18/24, 3:02 PM

I am trying to run two system services, each of which has its own user, and creates files owned by that user, in a directory under /var/lib - The problem is that I need both services to write their files into the same directory, and a file written by one to be readable by the other.

I was able to workaround the problem with chmod 0777 on the directory and all it's parents, but that does not feel like a wise long term solution. Is there a better approach to resolve the permissions? Perhaps by adding both users to the same group?

I am running 20.04 LTS Focal

1 + 0

permissions

acl

groups

Score:2

Ubuntu

raj

5/18/24, 3:48 PM

There are several options.

Yes, you can add both users to the same group and set write access to this group:

sudo groupadd somegroup
sudo adduser user1 somegroup
sudo adduser user2 somegroup
sudo chgrp somegroup /var/lib/somedir
sudo chmod g+rwx /var/lib/somedir

You can also set the directory to be owned by user1 and belonging to group to which user2 belongs, and then set write access for both owner and group:

# assume group2 is a group to which user2 belongs
sudo chown user1:group2 /var/lib/somedir
sudo chmod ug+rwx /var/lib/somedir

Finally, you can use ACLs. First you have to install the commands to manipulate ACLs:

sudo apt install acl

Then you can eg. make the directory owned by user1 and add write access for user2:

sudo chown user1 /var/lib/somedir
sudo chmod u+rwx /var/lib/somedir
sudo setfacl -m u:user2:rwx /var/lib/somedir

Or you can explicitly add access for user1 and user2 regardless of who is the owner of the directory:

sudo setfacl -m u:user1:rwx /var/lib/somedir
sudo setfacl -m u:user2:rwx /var/lib/somedir

BTW. You don't need write access on the parent directories (0777), what you need is the x access to each parent directory only.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Two system services need write access to the same directory - How to correctly set users/groups etc to permit access securely?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.