Linux permissions for services

Question

How do permissions work for services in Linux? I already know that I can set read, write and execute permissions for files and directories with chmod each for owner, group and other users but how do permissions work for a running service? How can I see what permissions a service has on particular files/directories?

Answer 1

A service is bound by regular permission restrictions. It all depends on what user the service runs as. Services are just regular processes that are always running.

For example,

$ ps aux | grep apache2
root      2845  0.0  0.2  75596  4508 ?        Ss   Sep06   0:19 /usr/sbin/apache2 -k start
www-data 25608  0.0  0.1  74428  2232 ?        S    Sep09   0:00 /usr/sbin/apache2 -k start
www-data 25609  0.0  0.1  75596  2288 ?        S    Sep09   0:02 /usr/sbin/apache2 -k start
www-data 25610  0.0  0.4 2003664 8436 ?        Sl   Sep09   0:37 /usr/sbin/apache2 -k start
www-data 25611  0.0  0.4 2003788 8584 ?        Sl   Sep09   0:36 /usr/sbin/apache2 -k start
www-data 25700  0.0  0.4 2003648 8528 ?        Sl   Sep09   0:36 /usr/sbin/apache2 -k start

You can see that the service is run by root and by www-data. Apache uses the root process only for binding to port 80 (or whatever port you've configured). Recall that binding to ports < 1024 requires you to be root.

For security, though, Apache hands off all request processing to processes that run as www-data. What these processes can access is up to you. If your file permissions in your document root don't permit www-data to access the files, Apache won't be able to serve them.

This is the same for any service; typically they have

• A process running as root (if they must bind to a port < 1024; not all services have a root process, though) which delegates tasks to the less-privileged user
• A process running as a user they created (bind for BIND, www-data for Apache, proftpd for proftpd, etc.). Keep in mind that the names of these vary by system (Apache sometimes runs as apache or apache2 instead of www-data).

Some processes run as nobody instead of as a specific user, though. This can be a bad idea, but it depends on the process and what it's doing.

These are just general rules; some processes even run entirely as root (such as sshd, although it will use a user process when someone connects). Use ps aux to see what user a process is running under.