[ { "role": "user", "content": "If%20I%20start%20emacs%20in%20systemd%2C%20is%20that%20server%20only%20available%20to%20root%20or%20can%20other%20users%20attach%20to%20it%3F" }, { "role": "assistant", "content": "It depends on *how* you start Emacs via systemd (or generally with server mode), *where* the Emacs server socket lives, and what file permissions are in place. It's not automatically restricted to root; with the right setup, other users *can* connect\u2014but by default they usually cannot.\n\nHere\u2019s how it works and what you need to check:\n\n---\n\n## Emacs server basics\n\n- When Emacs is started with `--daemon` (or `server-start` in your init), it creates a Unix domain socket so that clients (`emacsclient`) can connect to that server. ([gnu.org](https://www.gnu.org/s/emacs/manual/html_node/emacs/Emacs-Server.html?utm_source=openai)) \n- Alternatively, Emacs can run in TCP-mode (via setting `server-use-tcp = t`), in which case connections are made over TCP sockets. ([gnu.org](https://www.gnu.org/software/emacs/manual/html_node/emacs/TCP-Emacs-server.html?utm_source=openai))\n\n---\n\n## Default socket location & permissions\n\n- The socket file (for local Unix sockets) is usually created in a directory specific to the user who starts Emacs\u2014e.g. under `/tmp/emacs$UID/server`, or under `$XDG_RUNTIME_DIR/$UID/emacs/server`. ([reddit.com](https://www.reddit.com/r/emacs/comments/hsxyls?utm_source=openai)) \n- That directory is typically owned by the Emacs-running user (not root), and the socket file itself gets owner-only permissions (read/write only by that user). For a socket you often see something like `srwx------`. ([emacs.stackexchange.com](https://emacs.stackexchange.com/questions/4212/debugging-emacsclient-error-accessing-server-file-server?utm_source=openai))\n\n---\n\n## What if you start Emacs via systemd?\n\nThere are two relevant \u201cflavors\u201d of systemd here:\n\n1. **User-level units** (`systemctl --user \u2026`)**:**\n - This runs services as your regular user, so sockets and files are owned by that user.\n - Other users generally won\u2019t have permissions to access them without manually changing ownership or permissions. The same restrictions (user vs. \u201cothers\u201d) apply. ([gnu.org](https://www.gnu.org/s/emacs/manual/html_node/emacs/Emacs-Server.html?utm_source=openai))\n\n2. **System-level units**, or starting Emacs as **root/system-wide**:\n - If Emacs is started by root via a global systemd unit, then the socket may be owned by root, and with restrictive permissions, only root can access it. Other users will likely fail to connect.\n - Unless the unit or socket file configuration explicitly makes the socket accessible to other users (e.g. sets `DirectoryMode`, `SocketMode`, `Group=...`, or `PermissionsStartOnly=` etc.), then other users won\u2019t be able to attach. ([gnu.org](https://www.gnu.org/s/emacs/manual/html_node/emacs/Emacs-Server.html?utm_source=openai))\n\n---\n\n## Permissions & configuration variables you should check / adjust\n\n- `server-socket-dir`: controls where local socket is placed. ([emacs.stackexchange.com](https://emacs.stackexchange.com/questions/35949/changing-the-location-of-the-emacs-server-socket?utm_source=openai)) \n- `server-name`: affects the name of the socket. Multiple servers can exist with different names. ([gnu.org](https://www.gnu.org/s/emacs/manual/html_node/emacs/Emacs-Server.html?utm_source=openai)) \n- `server-use-tcp`: if true, Emacs uses TCP sockets (more complicated for authorization). ([gnu.org](https://www.gnu.org/software/emacs/manual/html_node/emacs/TCP-Emacs-server.html?utm_source=openai)) \n- If using systemd socket activation (e.g. `emacs.socket` unit): you can define the socket file\u2019s permissions (e.g. `DirectoryMode=0700`, `SocketMode=0660`), set the group owning the socket, etc. ([gnu.org](https://www.gnu.org/s/emacs/manual/html_node/emacs/Emacs-Server.html?utm_source=openai))\n\n---\n\n## In summary\n\n- If **root** starts Emacs (through systemd or otherwise), then unless configured otherwise, only root can attach via `emacsclient` (because of socket ownership & permissions).\n- If Emacs is started by a **non-root user**, then typically only that user (and possibly root) can connect, unless the socket is made more permissive (or group-writable) intentionally.\n\n---\n\nIf you like, I can walk you through how to configure a systemd unit so that *multiple users* (or a particular group) can attach to the same Emacs server (safely). Do you want that setup?" }, { "role": "user", "content": "yes%2C%20what%20changes%20do%20I%20make%20to%20my%20%2Fetc%2Fsystemd%2Fsystem%2Femacs.service%20file%3F" }, { "role": "assistant", "content": "Here\u2019s how you can modify or add systemd unit files so that your Emacs server socket can be shared with a particular group (or with all users), rather than being restricted to root. I\u2019ll show both a **Service-only** approach and a **Socket+Service activation** approach.\n\n---\n\n## Key systemd directives for socket permissions\n\nTo control socket ownership and access, systemd socket unit files support:\n\n- `SocketUser=` / `SocketGroup=` \u2014 set the user and group owning the socket. ([freedesktop.org](https://www.freedesktop.org/software/systemd/man/253/systemd.socket.html?utm_source=openai)) \n- `SocketMode=` \u2014 set the file permissions (octal) for the socket. ([freedesktop.org](https://www.freedesktop.org/software/systemd/man/253/systemd.socket.html?utm_source=openai)) \n- `DirectoryMode=` \u2014 permissions for parent directory (if applicable). ([freedesktop.org](https://www.freedesktop.org/software/systemd/man/250/systemd.socket.html?utm_source=openai)) \n\nYou\u2019ll also use `User=` / `Group=` in the service unit to run the service under the appropriate account. \n\n---\n\n## Two configurations\n\nHere are two ways to set this up. Use one or the other depending on your preference.\n\n---\n\n### A) Using **socket activation**: `.socket` + `.service` units\n\nUse this if you want systemd to listen on the socket and start Emacs *only when a client connects*.\n\n#### `/etc/systemd/system/emacs.socket`\n\n```ini\n[Unit]\nDescription=Emacs server socket\n\n[Socket]\nListenStream=/run/emacs-server/socket\nSocketUser=emacsgroup\nSocketGroup=emacsgroup\nSocketMode=0660\nDirectoryMode=0755\n\n[Install]\nWantedBy=sockets.target\n```\n\n#### `/etc/systemd/system/emacs.service`\n\n```ini\n[Unit]\nDescription=Emacs daemon service\nRequires=emacs.socket\nAfter=network.target\n\n[Service]\n# if Emacs supports systemd socket activation, it can use the passed socket\nExecStart=/usr/bin/emacs --daemon\nUser=root # or a less privileged user\nGroup=root # or appropriate group\nStandardInput=socket # allows the daemon to use the pre-opened socket\n# Optional: permissions, environment, etc.\n\n[Install]\nWantedBy=default.target\n```\n\n**What this does:**\n\n- systemd creates the Unix domain socket at `/run/emacs-server/socket` \n- The socket is owned by `emacsgroup:emacsgroup` with permissions `0660` \u2014 only root or members of that group can access it \n- On the first emacsclient connection, systemd will start the `emacs.service` and hand off the socket to it ([mail.gnu.org](https://mail.gnu.org/r/emacs-devel/2016-04/msg00141.html?utm_source=openai)) \n\nYou\u2019ll need to:\n\n1. Create the group `emacsgroup`, add users who should have access\n2. Enable & start both units: \n ```shell\n sudo systemctl daemon-reload\n sudo systemctl enable emacs.socket\n sudo systemctl start emacs.socket\n ```\n\n---\n\n### B) Simpler approach: service-only, running Emacs as a non-root user, making its socket accessible\n\nIf you want Emacs always running (not on-demand), run it under a specific user who owns the socket. Then adjust permissions so group or others can connect.\n\n#### `/etc/systemd/system/emacs.service`\n\n```ini\n[Unit]\nDescription=Emacs daemon\nAfter=network.target\n\n[Service]\nType=forking\nExecStart=/usr/bin/emacs --daemon\nExecStop=/usr/bin/emacsclient --eval \"(kill-emacs)\"\nUser=emacuser\nGroup=emacsgroup\n# Optionally ensure socket dir permissions\nExecStartPre=/bin/mkdir -p /run/emacs-server\nExecStartPre=/bin/chown emacuser:emacsgroup /run/emacs-server\nExecStartPre=/bin/chmod 0770 /run/emacs-server\n\n# Environment, restart policy, etc.\nRestart=on-failure\n\n[Install]\nWantedBy=multi-user.target\n```\n\nThen in your Emacs config (for example in `~/.emacs.d/init.el`), make Emacs put the server socket in `/run/emacs-server`:\n\n```elisp\n(setq server-socket-dir \"/run/emacs-server\")\n```\n\nEnsure the socket file created under that directory is group-writable (Emacs should then create socket with group perms matching directory\u2019s group). \n\n---\n\n## Notes & Caveats\n\n- Socket activation requires that Emacs was compiled with systemd support. Recent versions typically include this. ([mail.gnu.org](https://mail.gnu.org/r/emacs-devel/2016-04/msg00141.html?utm_source=openai)) \n- When using `SocketUser` / `SocketGroup`, the socket is created with those ownerships and `SocketMode`. If you omit them, it defaults to root:root (or invoking user in user units) and `0666` mode. ([freedesktop.org](https://www.freedesktop.org/software/systemd/man/250/systemd.socket.html?utm_source=openai)) \n- Directory permissions are enforced for locating the socket file. If the parent directory isn\u2019t accessible by a user, connecting still fails. ([mail.gnu.org](https://mail.gnu.org/archive/html/bug-gnu-emacs/2018-12/msg00906.html?utm_source=openai)) \n- If using a **user-level** systemd unit (`systemctl --user`), the socket/service run under your user\u2014so if needing multi-user access, system-level units are more appropriate.\n\n---\n\nIf you tell me:\n\n- which Linux distro you're on,\n- which users/groups should be able to connect,\n- whether you want socket activation or always-on,\n\nI can give you a fully tailored unit file." } ]