This is not done with ioctl
, but rather with dedicated system calls: chmod
, chown
, and chgrp
for the basic user/group/other set of file permissions, and acl_*
for full-fledged ACLs. You probably also want to know about the setuid
, setgid
, and setgroups
system calls, which are how you drop privileges in a running application.
You can accomplish your goals using only the basic user/group/other permissions. Configure your system as follows:
- The server application has a dedicated user ID and group; let's say they are both named
nlserver
("nl" for "noloader"). - The administrative component also has a dedicated user ID and group, let's say
nladmin
. - The configuration file is set to be mode 0640 (aka
-rw-r-----
) and owned by usernladmin
, groupnlserver
. (The code responsible for doing this should be in the administrative component, not the server itself.) - When the server starts up, after doing everything it needs to do as
root
(e.g. bind low-numbered ports), it usessetgroups
,setgid
, andsetuid
(IN THAT ORDER!) to change to usernlserver
, groupnlserver
, and clear the supplementary groups list. Only after doing so does it open the configuration file.