[systemd-devel] User and Group permissions for .socket files

[Lennart Poettering]

On Mon, 12.05.14 12:03, Umut Tezduyar Lindskog (umut at tezduyar.com) wrote:

> Hi,
> 
> How do we set the user:group of a socket created by .socket file?
> 
> We have thought User= and Group= should do the job but that doesn't
> seem to be the case. Is this a missing feature or should we just set

This is a missing feature. And it is on the TODO list. It's not easy to
fix though. To chmod() sockets properly we need to resolve the
user/group names via NSS first. However, we cannot do NSS from PID1,
since this might deadlock, since NSS frequently involves
talking/activating local services. To properly handle this we hence need
to do the chowning in a temporary child process. Which is a non-trivial
amount of code...

I have always been too lazy to implement this for now, however, we will
soonishly have to add this, since for the kbdus policy we are in a
similar situation (since the per-busname policy we upload also is bound
to UID/GIDs we need to resolve), and if we fix it there, we can
immediately open this up for .sockets too.

> the permissions by ExecStartPost= on .socket file?

Yes, this is the recommended work-around for now.

Lennart

-- 
Lennart Poettering, Red Hat