0

I have a folder /home/zain/uploads/hash/

In uploads one of my service which is running with forever-service is creating hash folder and put file inside it ..

problem is, it is creating hash folder and file inside it as root user and 700 access since it is running with forever-service ..

But when I tried to access through my nginx so it give me 403 forbidden ..

my nginx user is opc ..

If I change owner or group manually then I can access to that file.. so I don't want to change permissions manually every time.

How can I solve the problem?

Yaron
  • 4,289
Zain Abbas
  • 1
  • How do you execute the forever-service? you should change the service user-id to be opc... or update it, to change the output files to be owned by opc – Yaron Aug 07 '18 at 10:33
  • @Yaron forever-service must be run as root it give me this error when i tried to run with opc – Zain Abbas Aug 07 '18 at 10:37
  • Can you update the service runs by forever-service to execute chown opc -R /home/zain/uploads/hash and/or chmod 755 -R /home/zain/uploads/hash as its last steps? – Yaron Aug 07 '18 at 10:42
  • @Yaron nopes i cant edit that script .. and also have a similar thought of creating cronJob which checks new entry of file and changes its permission ... but thats doesnt seems a right way.. – Zain Abbas Aug 07 '18 at 10:50
  • cross-posting: https://askubuntu.com/questions/1063146/linux-file-permissions-for-other-user-as-root-to-read-and-execute – pLumo Aug 07 '18 at 11:28
  • @Yaron it supports a "runasuser" option but this "function getForeverRoot(user){" https://github.com/zapty/forever-service/commit/58f0800f2a0ebccd8839f754b688debfaeeedc1c seems to look like getuid needs to be 0. I would assume that test needs to be done when user=null only :P Seems a bug to me – Rinzwind Aug 07 '18 at 13:02

2 Answers2

0

I can see two options,

  • Run the service as a different user, but use capabilities. root has been broken up in to many capabilities, if the service is written well (does not, un-necessarily, try to do security, but lets kernel do it), then it should work with capabilities.
  • Use file access control lists, with defaults, so that the other user is added with read (maybe write) permissions.

See What are the different ways to set file permissions etc on gnu/linux for a list of ways that modern Linux does permissions.

ctrl-alt-delor
  • 27,993
0

It may be sufficient to change the umask of the process creating the files.

RalfFriedl
  • 8,981