IPFS and group permissions

I am trying to have a single daemon run as the ipfs:ipfs user and have other users access it. I tried adding my users to the ipfs group, but I keep getting permission denied errors:

chymera@neurohost ~ $ ipfs get Qmep2QrM7L7ditXcjKArVPkvmMtVNAh4p5KSPBBS8usr1X
Error: error loading plugins: open /var/lib/ipfs/.ipfs/config: permission denied
chymera@neurohost ~ $ ls -lah /var/lib/ipfs/.ipfs/
total 36K
drwxr-xr-x 5 ipfs ipfs 4.0K Apr 13 18:55 .
drwxrwxr-x 3 ipfs ipfs 4.0K Apr 13 18:05 ..
-rw-r--r-- 1 ipfs ipfs   23 Apr 13 18:51 api
drwxr-xr-x 7 ipfs ipfs 4.0K Apr 13 18:51 blocks
-rw------- 1 ipfs ipfs 3.7K Apr 13 18:00 config
drwxr-xr-x 2 ipfs ipfs 4.0K Apr 13 18:56 datastore
-rw------- 1 ipfs ipfs  190 Apr 13 18:00 datastore_spec
drwx------ 2 ipfs ipfs 4.0K Apr 13 18:00 keystore
-rw-r--r-- 1 ipfs ipfs    0 Apr 13 18:51 repo.lock
-rw-r--r-- 1 ipfs ipfs    3 Apr 13 18:00 version

The issue is probably that the config does not have group read permissions.

Interestingly, the config documentation says this file shouldn’t even be accessed if the daemon is running ( go-ipfs/config.md at master · ipfs/go-ipfs · GitHub ) but somehow it is.

I thought perhaps I need to connect to the daemon more explicitly, and the only thing I could find pertaining to that is the --api flag, which does not seem to do anything either:

chymera@neurohost ~ $ ipfs --api=/ip4/127.0.0.1/tcp/5001 get Qmep2QrM7L7ditXcjKArVPkvmMtVNAh4p5KSPBBS8usr1X
Error: error loading plugins: open /var/lib/ipfs/.ipfs/config: permission denied

Any ideas what could be going on here?

Well, you could chmod g+r /var/lib/ipfs/.ipfs/config…

But the better way would be that you run the IPFS daemon as ipfs:ipfs on one side, keeping its folders/config isolated. Then each user creates $HOME/.ipfs/api for themselves, the api file having the same content as the /var/lib/ipfs/.ipfs/api created by the running daemon. They should be able to run ipfs and talk to the running daemon that way.