On Ubuntu:
touch: cannot touch `/var/run/test.pid': Permission denied
I am starting start-stop-daemon and like to write the PID file in /var/run start-stop-daemon is run as my-program-user
/var/run setting is drwxr-xr-x 9 root root
I like to avoid putting my-program-user in the root group.
By default, you can only write to /var/run as a user with an effective user ID of 0 (ie as root). This is for good reasons, so whatever you do, don't go and change the permissions of /var/run... Instead, as root, create a directory under /var/run:
# mkdir /var/run/mydaemon
Then change its ownership to the user/group under which you wish to run your process:
# chown myuser:myuser /var/run/mydaemon
Now specify to use /var/run/mydaemon rather than /var/run.
You can always test this by running a test as the user in question.
mkdir /var/run/mydaemon
chown myuser:myuser /var/run/mydaemon
this will not work, since it will be lost at the next reboot (/var/run is a tmpfs on Ubuntu).
The only feasible solution is to run mkdir and chmod as part of the startup scripts.
In systemd-managed distributions, such as Ubuntu, no permissions are needed, and none are desirable.
On such systems, by design, all non-interactive services that could possibly need such access are either launched from a root-owned process - or use a per-user runtime directory. All permission matters can and will be taken care of the manager service.
No system-wide program will ever write to /run directly, but instead have a writeable directory provisioned for then by the system manager, only the latter having the permission to do so. The relevant configuration in a identifier.service file reads
[Service]
RuntimeDirectory=identifier
Which results in, when started as a system service, a directory /run/identifier being created. Or, when started from a non-root user, a directory /run/[UID]/identifier. Both directories, by default, are setup such that the program launched in conjunction is able to write there, and communicated to the launched program by providing the environment variable RUNTIME_DIRECTORY.
You can try this. Create a directory /var/run/test/ and then change the permission of this directory to the same user as your program runs. " chown /var/run/test/" . Now in your application change the location of the PID file to /var/run/test/test.pid. This should get things working for you.
What about using the "sticky" bit on /var/run ?
chmod +t /var/run ?
Probably mess up some other apps, but it seems like it would be another solution.
I'll stick with creating a separate /var/run folder for now, however.
Entries in the /etc/permissions are permanent. Make an entry there to make the ownership and permissions for a directory permanent.
To avoid putting your program-user in the root group, allow others write access:
# chmod 757
