systemd’s SupplementaryGroups also applicable to worker processes spawned by the main process of the service?

Posted on

Problem :

I have to set up a systemd service for an application that is not allowed to run as root, but must access a private key file and elevated ports.

Usually the private keys are protected in a way that only root has access to them.

Since the application may not start as root, I am considering using systemd’s SupplementaryGroups to give access to the key.

SupplementaryGroups=privkey_access_group

This is working as expected, but I wonder if this supplementary group only applies to the main process of my application? In case the application will spawn worker processes, will these also have that supplementary group set?

Solution :

Groups are always inherited from parent process to child process, regardless of how they were initially set. Only your application can decide whether its worker processes will keep the inherited groups or deliberately clear them; systemd has no say over this.

Leave a Reply

Your email address will not be published. Required fields are marked *