Linux permissions for services

--------------------------------------------------
Hire the world's top talent on demand or became one of them at Toptal: https://topt.al/25cXVn
and get $2,000 discount on your first invoice
--------------------------------------------------

Take control of your privacy with Proton's trusted, Swiss-based, secure services.
Choose what you need and safeguard your digital life:
Mail: https://go.getproton.me/SH1CU
VPN: https://go.getproton.me/SH1DI
Password Manager: https://go.getproton.me/SH1DJ
Drive: https://go.getproton.me/SH1CT

Music by Eric Matyas
https://www.soundimage.org
Track title: Cool Puzzler LoFi

--

Chapters
00:00 Linux Permissions For Services
00:22 Accepted Answer Score 7
02:11 Thank you

--

Full question
https://superuser.com/questions/472219/l...

--

Content licensed under CC BY-SA
https://meta.stackexchange.com/help/lice...

--

Tags
#linux #permissions #services #daemon

#avk47

ACCEPTED ANSWER

Score 7

A service is bound by regular permission restrictions. It all depends on what user the service runs as. Services are just regular processes that are always running.

For example,

$ ps aux | grep apache2
root      2845  0.0  0.2  75596  4508 ?        Ss   Sep06   0:19 /usr/sbin/apache2 -k start
www-data 25608  0.0  0.1  74428  2232 ?        S    Sep09   0:00 /usr/sbin/apache2 -k start
www-data 25609  0.0  0.1  75596  2288 ?        S    Sep09   0:02 /usr/sbin/apache2 -k start
www-data 25610  0.0  0.4 2003664 8436 ?        Sl   Sep09   0:37 /usr/sbin/apache2 -k start
www-data 25611  0.0  0.4 2003788 8584 ?        Sl   Sep09   0:36 /usr/sbin/apache2 -k start
www-data 25700  0.0  0.4 2003648 8528 ?        Sl   Sep09   0:36 /usr/sbin/apache2 -k start

You can see that the service is run by root and by www-data. Apache uses the root process only for binding to port 80 (or whatever port you've configured). Recall that binding to ports < 1024 requires you to be root.

For security, though, Apache hands off all request processing to processes that run as www-data. What these processes can access is up to you. If your file permissions in your document root don't permit www-data to access the files, Apache won't be able to serve them.

This is the same for any service; typically they have

A process running as root (if they must bind to a port < 1024; not all services have a root process, though) which delegates tasks to the less-privileged user
A process running as a user they created (bind for BIND, www-data for Apache, proftpd for proftpd, etc.). Keep in mind that the names of these vary by system (Apache sometimes runs as apache or apache2 instead of www-data).

Some processes run as nobody instead of as a specific user, though. This can be a bad idea, but it depends on the process and what it's doing.

These are just general rules; some processes even run entirely as root (such as sshd, although it will use a user process when someone connects). Use ps aux to see what user a process is running under.