9

How do permissions work for services in Linux? I already know that I can set read, write and execute permissions for files and directories with chmod each for owner, group and other users but how do permissions work for a running service? How can I see what permissions a service has on particular files/directories?

Improve this question

1 Answer 1

Reset to default
7

A service is bound by regular permission restrictions. It all depends on what user the service runs as. Services are just regular processes that are always running.

For example,

$ ps aux | grep apache2
root      2845  0.0  0.2  75596  4508 ?        Ss   Sep06   0:19 /usr/sbin/apache2 -k start
www-data 25608  0.0  0.1  74428  2232 ?        S    Sep09   0:00 /usr/sbin/apache2 -k start
www-data 25609  0.0  0.1  75596  2288 ?        S    Sep09   0:02 /usr/sbin/apache2 -k start
www-data 25610  0.0  0.4 2003664 8436 ?        Sl   Sep09   0:37 /usr/sbin/apache2 -k start
www-data 25611  0.0  0.4 2003788 8584 ?        Sl   Sep09   0:36 /usr/sbin/apache2 -k start
www-data 25700  0.0  0.4 2003648 8528 ?        Sl   Sep09   0:36 /usr/sbin/apache2 -k start

You can see that the service is run by root and by www-data. Apache uses the root process only for binding to port 80 (or whatever port you've configured). Recall that binding to ports < 1024 requires you to be root.

For security, though, Apache hands off all request processing to processes that run as www-data. What these processes can access is up to you. If your file permissions in your document root don't permit www-data to access the files, Apache won't be able to serve them.

This is the same for any service; typically they have

  • A process running as root (if they must bind to a port < 1024; not all services have a root process, though) which delegates tasks to the less-privileged user
  • A process running as a user they created (bind for BIND, www-data for Apache, proftpd for proftpd, etc.). Keep in mind that the names of these vary by system (Apache sometimes runs as apache or apache2 instead of www-data).

Some processes run as nobody instead of as a specific user, though. This can be a bad idea, but it depends on the process and what it's doing.

These are just general rules; some processes even run entirely as root (such as sshd, although it will use a user process when someone connects). Use ps aux to see what user a process is running under.

Improve this answer
4
  • 1
    Thanks man! That's exactly what I looking for...another question, how can i change the user for a process?
    – Gigitsu
    Commented Sep 10, 2012 at 8:30
  • 1
    @Gigitsu that depends on the service; for Apache, for example, you need to change APACHE_RUN_USER and APACHE_RUN_GROUP. You'll have to check the documentation for the service you're looking at, since it's different for each one.
    – Tom Marthenal
    Commented Sep 10, 2012 at 8:32
  • Well, sorry to digress, but I notice that haproxy can run as haproxy(not as root), and bind tcp 80 port. How does this achieve? Any enlightenment?
    – kiiwii
    Commented Jul 4, 2014 at 4:31
  • @kiiwii superuser.com/questions/710253/…
    – integratorIT
    Commented Nov 27, 2019 at 12:11

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .