I added a new group: ircuser
and a new user: ircuser
In visudo
I placed this line:
myuser localhost=(ircuser) NOPASSWD: /usr/bin/irssi
Created ircuser
directory, where config files, caches, etc should be saved:
drwxrwx--- 2 ircuser ircuser 4096 Mar 2 10:28 ircuser
When issuing the command:
sudo -Hu ircuser /usr/bin/irssi
or
sudo -u ircuser /usr/bin/irssi
The program can't save the config file in the ircuser
directory.
** ERROR **: Couldn't create /home/myuser/_web/ircuser/.irssi directory
aborting...
Aborted
But, it is being run as ircuser
:
ps auxw | grep irssi
ircuser 11962 0.0 0.0 23684 2504 pts/6 S+ 11:18 0:00 /usr/bin/irssi
So, albeit irssi
is run by ircuser
it can't write to a directory owned by the same user?
What do I need to change to allow it saving there?
Best Answer
The problem probably lies in not having eXecute permission in one of the parent directories leading up to ircuser's home directory. In order for any user to traverse, not necessarily look into a directory, that user must have execute permission either via a group, or via other. If you have these permissions:
And ircuser is not part of the myuser group, then ircuser can't access any file underneath even if it has permissions for that directory. If you try this instead:
Then ircuser can't browse myuser's home directory, but it can potentially access some file beneath it such as
/home/myuser/_web/ircuser
UPDATE: A few more details I left out from the above description. Permissions are evaluated as you traverse the file system. It's possible to be able to access a folder starting from the current directory that you can't access starting from the root directory. If you change your working directory to somewhere else, you will loose your handle on the current directory and loose access to the files in it. If you use something like sudo su - ircuser, su will switch to the home directory of ircuser before dropping root privileges. At that point, you have a valid handle for ircuser's home directory because it's the current working directory. If you start irssi, it will be running in ircuser's home directory as ircuser. If you try to access .irssi, that will work because you have eXecute permission on the current direcory. If you have to traverse a directory where you are lacking eXecute permission, iy will fail. For example, opening up the file
/home/myuser/_web/ircuser/.irssi
or even starting from the current directory and using the relative path of../../_web/ircuser/.irssi
because it requires traversing/home/myuser
where you have no eXecute permission.