I’m running my ipfs daemons as a systemd service, launched at system startup under a specific user account. The ipfs command line binary & daemon are in /usr/local/bin. port 4001 is open to outside (I get > 1000 peer connections) and 5001 is open only to localhost.
How can I set permissions properly so any account on the same machine as server can run CLI commands? Must the user account that runs the daemon & has the .ipfs repo have wide open permissions?
Sometimes the ipfs CLI command accesses the IPFS repo which is likely why it needs some permissions. You could throw the .ipfs directory somewhere like /opt/ and make an ipfs group & user, then run the daemon as the ipfs user, and give add user account you’d like to access the repo and use IPFS to the ipfs group.
All users have access to your localhost, either you make them share the IPFS_PATH folder as @Discordian suggested.
Or lazy solution you do mkdir ~/.ipfs && echo "/ip4/127.0.0.1/port/4001" > ~/.ipfs/api on all the users.
(note the API does not have access control, anyone with access to it can do various things like upload a new config, shutdown the node, …)
This is what setuid binaries are for, no?
Though, in fairness, this practice is not used much anymore so much. I forget the reason.