File permissions for systemd init script


I'm just starting to explore systemd init scripts after upgrading to Ubuntu 16.04LTS. What should the ownership and file permissions be on my .service files?

It currently is by default:

-rw-rw-r-- 1 me me  225 Dec 20 21:57 my.service

After symbolically linking to the systemd directory, it looks like other files are just completely open (777), even mine:

lrwxrwxrwx  1 root root   40 Dec 20 21:31 dbus-org.freedesktop.Avahi.service -> /lib/systemd/system/avahi-daemon.service


Posted 2017-12-21T06:00:36.387

Reputation: 1 151

The semantics of the permissions of a symbolic link in Linux has nothing to do with systemd, so I wonder what the question is really about: Should the service file be group-writable? Why should it? – U. Windl – 2019-04-29T09:34:56.023



Should the files be executable?

Think of systemd units as config files, not scripts. They are not run by the kernel, do not have the #! shebang line, and therefore do not need to be executable. (In fact if you do make them executable, systemd will print a warning to system logs.)

Should the files be readable by non-root users?

Yes, there's no point in hiding the contents (which can be retrieved via systemctl anyway). Again, systemd will warn about useless attempts to make the units non-public.

Should the files be writable by non-root users?

Only if the user is fully trusted (i.e. a system administrator). Think about what they could achieve: they could put arbitrary commands in the unit file, reboot the system, and those commands would be run with full root privileges.

So if an untrusted user could write to system .service files, they could become root very quickly.

Should the files be owned by root or not?

They are system configuration files, located in /etc, so root would be the natural choice. (It doesn't matter that much – but do see the previous section about writability.)

Are other files really "completely open"?

They aren't. Your example is a symlink, not a file. Symlinks do not have their own permissions at all – the system always returns the same dummy value, but never uses it for anything. (By the way, rwx rwx rwx is 0777, not 0755.)

If you look at all regular files in /etc/systemd/system or /usr/lib/systemd/system, you'll see that nearly all of them have permissions 0644 (rw- r-- r--).


Posted 2017-12-21T06:00:36.387

Reputation: 283 655

The answer lacks the most important essential information: Under what effective rights (i.e. UID, GID) does systemd access these files, and how does it access them? IMHO reading rights for the corresponding UID or GID is sufficient. Everything else is just a matter of taste (the "need to know" principle), which systemd should not talk about. – U. Windl – 2019-04-29T09:38:22.257