Failed to determine supplementary groups: Operation not permitted

I'm trying to set up watchman as a user service.

I've followed their documentation as closely as possible. This is what I have:

The socket file:

[Unit]
Description=Watchman socket for user %i

[Socket]
ListenStream=/usr/local/var/run/watchman/%i-state/sock
Accept=false
SocketMode=0664
SocketUser=%i
SocketGroup=%i

[Install]
WantedBy=sockets.target

The service file:

[Unit]
Description=Watchman for user %i
After=remote-fs.target
Conflicts=shutdown.target

[Service]
ExecStart=/usr/local/bin/watchman --foreground --inetd --log-level=2
ExecStop=/usr/bin/pkill -u %i -x watchman
Restart=on-failure
User=%i
Group=%i
StandardInput=socket
StandardOutput=syslog
SyslogIdentifier=watchman-%i

[Install]
WantedBy=multi-user.target

Systemd attempts to run watchman but is stuck in a restart loop.
These are the errors I get:

Apr 16 05:41:00 debian systemd[20894]: watchman@user.service: Failed to determine supplementary groups: Operation not permitted
Apr 16 05:41:00 debian systemd[20894]: watchman@user.service: Failed at step GROUP spawning /usr/local/bin/watchman: Operation not permitted

I'm 100% sure the group and user I'm enabling this service & socket exists.
What am I doing wrong?

Best Answer

I was running into the same issue. Googling I found this thread: https://bbs.archlinux.org/viewtopic.php?id=233035

The problem is with how the service is being started. If you specify the user/group in the unit file then you should start the service as a system service.

If you want to start the service as a user service then the User/Group is not needed and can be removed from the unit config. You simply start the service when logged in as the current user passing the --user flag to systemctl.

Best Answer

Related Solutions

Make systemd reload only single openvpn process and not the whole group

Adding a systemd .service (Debian)

Related Question