Meaning of systemd “Group” option

file-permissionsprocesssystemd

Here:

http://man7.org/linux/man-pages/man5/systemd.exec.5.html

There's a nice explanation stating there is something like "group that the processes are executed as". However, I could not find what this exactly is. I noticed that setting the "Group" option in the systemd script changes permission on where files can be created. That is, without the option I was allowed to write a certain file, but with it I was not.

This suggests that the "group that the processes are executed as" does more than just determine what the group of newly created files are, it also elevates or reduces permissions.

Unfortunately, there is also something called a "process group" which is like a set of processes, which would not change permissions and rights I would think. But this makes the feature harder to google.

Could someone explain to me what the "group that the processes are executed as" is?

Best Answer

"Group" there means "Unix group", referring to groups defined in /etc/group. Along with the User= directive, Group= sets the Unix user and group that a process is executed as.

The usual Unix permission model applies, so if you are running a "user service" from ~/.config/systemd, it's only valid to specify groups that the user is a member of.

From Multi-User Ownership and Permissions on Unix/Linux

processes also belong to a specific userid and group; this determines who is allowed to do what to a file (or directory which is a type of file), and which files a particular process is allowed to read, write or execute.

In practice, services that don't run as root tend to run as a user that is associated with a single group, making the Group= directive not particularly meaningful. For example, the MongoDB database runs as the mongodb user and the mongodb group. What matters there is that the group is unique so that what the MongoDB process can access is maximally limited.

Related Topic