3

I'm setting up permissions for a basic web server, but having some difficulty with starting the server with systemd.

In my job description, I set the user and group to "foo", as follows:

[Service]

WorkingDirectiory=/home/otheruser/Website
ExecStart=/home/otheruser/Website/bin/site -Dhttp.port=7000

User=foo
Group=foo

I recursively changed the group for the Website directory to foo, and made sure to give group execution rights to the site binary. When I still had issues, I chownd the whole directory for foo. Here's what ls -la displays in the bin directory:

drwxr-xr-x 2 foo foo  4096 Sep  5 16:13 .
drwxr-xr-x 7 foo foo  4096 Sep  5 18:07 ..
-rwxr-xr-x 1 foo foo  8502 Sep  5 16:13 site

Anyhow, I'm still getting this error when trying to start my systemd job:

foo.service: Failed at step EXEC spawning /home/otheruser/Website/bin/site: Permission denied

Any ideas what could be causing this?

Nathan
  • 151
  • 1
  • 1
  • 5
  • 1
    With `Permission denied` errors not only the traditional UGO permissions in the executable (and the complete path leading there) can be an issue, also SELinux violations are often reported as such. – HBruijn Sep 05 '16 at 19:57
  • 1
    @HBruijn We can see from his question that SELinux is disabled. – Michael Hampton Sep 05 '16 at 20:03
  • @HBruijn How can you see that? – Nathan Sep 05 '16 at 20:08
  • 1
    @Nathan: Michael is a better sharper than I am and noticed that the `ls` output did not show a trailing `.` after the UGO permissions `drwxr-xr-x` - GNU `ls` uses a `.` character to indicate a file with an SELinux security context, but no other alternate access method. A file with any other combination of alternate access methods is marked with a `+` character. – HBruijn Sep 05 '16 at 20:16

1 Answers1

2

After tinkering around some more, I ended up discovering that some directories higher up in the tree (namely /home/otheruser) wasn't allowing execution by foo. While the Website directory had correct permissions, the above directories didn't, which was causing the failure.

Nathan
  • 151
  • 1
  • 1
  • 5