Ubuntu – What permissions are needed to write a PID file in /var/run

permissionspidrootUbuntu

On Ubuntu:

touch: cannot touch `/var/run/test.pid': Permission denied

I am starting start-stop-daemon and like to write the PID file in /var/run
start-stop-daemon is run as my-program-user

/var/run setting is drwxr-xr-x  9 root  root

I like to avoid putting my-program-user in the root group.

Best Answer

By default, you can only write to /var/run as a user with an effective user ID of 0 (ie as root). This is for good reasons, so whatever you do, don't go and change the permissions of /var/run... Instead, as root, create a directory under /var/run:

# mkdir /var/run/mydaemon

Then change its ownership to the user/group under which you wish to run your process:

# chown myuser:myuser /var/run/mydaemon

Now specify to use /var/run/mydaemon rather than /var/run.

You can always test this by running a test as the user in question.

Related Solutions

Web app cannot write to a file on the server that seems to have the right permissions

Are you running your Rails application under Apache via mod_rails/passenger?

You may need to set the user that passenger runs the Rails application with "PassengerDefaultUser". Since you mention www-data, I'm assuming an ubuntu or debian server, so this would probably be a separate vhost file in /etc/apache2/sites-available. Add the line:

PassengerDefaultUser www-data

To the correct vhost file. If you don't know which file, run "sudo apache2 -S" to show the available vhosts in the configuration and pick the file that matches the hostname you access the Rails app.

What User Should Own /var/www on Ubuntu 9.04 Server?

So, should www-data user be the owner of /var/www

Why is the apache process run by www-data, but the /var/www owned by root? Is there some risk to making www-data own the folder and run the process?

Your web server is running as www-data. If apache has the ability to write to /var/www and you have configured something incorrectly, or your running a buggy web application, or apache itself has an exploitable bug, then an evil person on the Internet would be able to write things to /var/www. Whenever possible you should always give service accounts the least privileges they need to operate.

is there something even better than the two solutions I've seen?

Create a new group, and change the ownership of the /var/www to root:group. Add all user that need to publish to that folder to the group. You might also want to mark the folder with the setgid bit and adjust the umask of your users so anything they write to this folder will be writable by anyone else in that group.

Best Answer

Related Solutions

Web app cannot write to a file on the server that seems to have the right permissions

What User Should Own /var/www on Ubuntu 9.04 Server?

Related Topic