This is a more verbose demo of the permissions issues, as seen in a new installation right after using the code provided in elog and adding my user to the ipfs group.

```
chymera@neurohost ~ $ ls -lahd .ipfs
lrwxrwxrwx 1 chymera chymera 19 Apr 13 17:01 .ipfs -> /var/lib/ipfs/.ipfs
chymera@neurohost ~ $ ls -lahd /var/lib/ipfs/.ipfs
drwxr-xr-x 5 ipfs ipfs 4.0K Apr 13 17:00 /var/lib/ipfs/.ipfs
chymera@neurohost ~ $ ls -lah /var/lib/ipfs/.ipfs/
total 32K
drwxr-xr-x 5 ipfs ipfs 4.0K Apr 13 17:00 .
drwxr-xr-x 3 ipfs ipfs 4.0K Apr 13 17:00 ..
drwxr-xr-x 4 ipfs ipfs 4.0K Apr 13 17:00 blocks
-rw------- 1 ipfs ipfs 3.7K Apr 13 17:00 config
drwxr-xr-x 2 ipfs ipfs 4.0K Apr 13 17:00 datastore
-rw------- 1 ipfs ipfs  190 Apr 13 17:00 datastore_spec
drwx------ 2 ipfs ipfs 4.0K Apr 13 17:00 keystore
-rw-r--r-- 1 ipfs ipfs    3 Apr 13 17:00 version
chymera@neurohost ~ $ groups
wheel audio users portage ipfs syncthing chymera chymera-data manish-data
chymera@neurohost ~ $ touch .ipfs/lala.py
touch: cannot touch '.ipfs/lala.py': Permission denied
```

Well, I've reported this upstream, maybe they know how this is supposed to work: https://discuss.ipfs.io/t/ipfs-and-group-permissions/13983

Ok, so I was able to jerryrig an emergency fix but it's not nice because it simply runs the daemon as the user. I don't see why there should be one daemon per user. Ideally the present group approach could be made to work.

For the time being, my fix was:

(1) make the logs directory writable for the user:`chmod -R 775 /var/log/ipfs`
(2) instead of the current init.d and conf.d files, use the attached files named `/etc/{init,conf}.d/ipfs.yourusername` respectively.
(3) run `ipfs init` as user
(4) start the service with `/etc/init.d/ipfs.youruser start`.

Should work but let's hope we can fix the current approach instead.

Created attachment 770681 [details]
/etc/init.d/ipfs.youruser

Created attachment 770684 [details]
/etc/conf.d/ipfs.youruser

(In reply to Horea Christian from comment #0)
> Going by the elog text in =net-p2p/go-ipfs-0.11.0 (
> https://gitweb.gentoo.org/repo/gentoo.git/tree/net-p2p/go-ipfs/go-ipfs-0.11.
> 0.ebuild#n1973 ) I create `/var/lib/ipfs/.ipfs`, set its ownership to
> ipfs:ipfs, and add my user to the ipfs group.
> 
> Sadly by deafult a lot of files in the directory are not writeable by the
> group, and even after `chmod -R 775 /var/lib/ipfs` they will somehow revert
> to that.
> 
> 
> ```
> chymera@decohost ~ $ ls -lahd .ipfs
> lrwxrwxrwx 1 chymera chymera 20 Apr 12 12:09 .ipfs -> /var/lib/ipfs/.ipfs/
> chymera@decohost ~ $ ls -lah .ipfs/
> total 2.3M
> drwxrwxr-x  5 ipfs ipfs 4.0K Apr 13 14:34 .
> drwxrwxr-x  3 ipfs ipfs 4.0K Apr 12 12:13 ..
> -rw-r--r--  1 ipfs ipfs   23 Apr 13 14:34 api
> drwxrwxr-x 20 ipfs ipfs 4.0K Apr 13 14:34 blocks
> -rw-------  1 ipfs ipfs 3.7K Apr 13 14:32 config
> -rw-------  1 ipfs ipfs 3.7K Apr 13 14:31 config-pre-lowpower-2169471326
> -rw-------  1 ipfs ipfs 3.7K Apr 13 14:32 config-pre-lowpower-3509665115
> drwxrwxr-x  2 ipfs ipfs 4.0K Apr 13 14:34 datastore
> -rwxrwxr-x  1 ipfs ipfs  190 Apr 12 12:13 datastore_spec
> drwxrwxr-x  2 ipfs ipfs 4.0K Apr 12 12:13 keystore
> -rwxrwxr-x  1 ipfs ipfs 2.2M Apr 12 21:45 lala.png
> -rw-r--r--  1 ipfs ipfs    0 Apr 13 14:34 repo.lock
> -rwxrwxr-x  1 ipfs ipfs    3 Apr 12 12:13 version
> ```
> 
> This means that it's very hard to manage the repository or configuration via
> my user (or any user at all, really, since ipfs isn't a user with a shell).
> After e.g. running:
> 
> ```
> chymera@decohost ~/.ipfs $ ipfs config profile apply lowpower
> ```
> 
> the service failed to start until I ran `chown -R ipfs:ipfs /var/lib/ipfs/`.
> This seems pretty unstable, though I'm not sure how this could be nicely
> fixed if upstream code insists on not setting group write.
> 
> Perhaps I am just using the software inocrrectly and some additional info
> could be added to elog?

Instead of having a symlink from ~/.ipfs to /var/lib/ipfs/.ipfs what I do is to export /etc/conf.d/ipfs so the shell uses that IPFS_PATH. I don't like it but it works, it maybe would be better to have a wrapper around ipfs or something like that which by default sets IPFS_PATH according to /etc/conf.d/ipfs

@David

But even without the symlink and pointing to the right path, executing `ipfs` commands will fail if done as user:

```
neurohost /var/lib/ipfs # su -s /bin/sh -c "ipfs init -e" ipfs
neurohost /var/lib/ipfs # /etc/init.d/ipfs start
 * Caching service dependencies ...                                                                                                   [ ok ]
 * Starting ipfs ...
neurohost /var/lib/ipfs # su - chymera
chymera@neurohost ~ $ ipfs get Qmep2QrM7L7ditXcjKArVPkvmMtVNAh4p5KSPBBS8usr1X
Error: error loading plugins: open /var/lib/ipfs/.ipfs/config: permission denied
```

(In reply to Horea Christian from comment #7)
> @David
> 
> But even without the symlink and pointing to the right path, executing
> `ipfs` commands will fail if done as user:
> 
> ```
> neurohost /var/lib/ipfs # su -s /bin/sh -c "ipfs init -e" ipfs
> neurohost /var/lib/ipfs # /etc/init.d/ipfs start
>  * Caching service dependencies ...                                         
> [ ok ]
>  * Starting ipfs ...
> neurohost /var/lib/ipfs # su - chymera
> chymera@neurohost ~ $ ipfs get Qmep2QrM7L7ditXcjKArVPkvmMtVNAh4p5KSPBBS8usr1X
> Error: error loading plugins: open /var/lib/ipfs/.ipfs/config: permission
> denied
> ```

It works for me, I will try with a fresh install. Did you update the permissions of /var/lib/ipfs/.ipfs/config after removing the symlink?

I am going to close this. There's workarounds for this use case, upstream advised on what to do, and I'm really not sure what we can do on the distro level. Add users to ipfs group and make sure the config has group read permissions, I think that's the resolution?