Recommended File and Folder Permissions
List of permissions required for users and groups, core components, and files.
This section explains the required users and groups, core components, and recommended file permissions for running Protegrity Upgrade Agent and the AP Java SDK securely on Linux systems.
Note: The user running the Upgrade Agent must own the extracted old SDK build used for the upgrade. If a local path is configured in
sdkupgrd.conf, the user must also own the downloaded new build.
The following tables describe which users can access specific directories under the Upgrade Agent installation and explain why these permissions are required.
ptyadmin- Admin user who owns and manages the Upgrade Agent, RPAgent, and Log Forwarder.ptyuser1- AP Java application user.
Upgrader Agent
The Upgrade Agent is always installed under /opt/protegrity/upgrader/.
| Path | Owner:Group | Mode | Notes |
|---|---|---|---|
/opt/protegrity/ | ptyadmin:ptyadmin | 751 | Allows users to traverse into subdirectories without listing the contents of /opt/protegrity. |
upgrader/ | ptyadmin:ptyadmin | 750 | - |
upgrader/bin/ | ptyadmin:ptyadmin | 750 | - |
upgrader/bin/sdkupgrd | ptyadmin:ptyadmin | 700 | Ensures upgrades and rollbacks can be initiated only by ptyadmin. |
upgrader/data/ | ptyadmin:ptyadmin | 750 | - |
upgrader/data/metadata.ini | ptyadmin:ptyadmin | 660 | Enables the SDK to read and update active version information required for upgrade coordination. |
upgrader/data/sdkupgrd.conf | ptyadmin:ptyadmin | 660 | - |
upgrader/logs/ | ptyadmin:ptyadmin | 770 | Allows SDK users to create and write log files during runtime and upgrades. |
upgrader/active_processes/ | ptyadmin:ptyadmin | 770 | Allows SDK users to create PID files so the Upgrade Agent can detect running processes. |
upgrader/backup/ | ptyadmin:ptyadmin | 750 | Stores backup and rollback data. |
AP Java SDK
| Path | Owner:Group | Mode | Notes |
|---|---|---|---|
sdk/ | ptyadmin:ptyadmin | 750 | Grants AP Java users read and execute access to the SDK. |
sdk/java/lib/ | ptyadmin:ptyadmin | 750 | Contains SDK JARs and native libraries. |
sdk/java/lib/ApplicationProtectorJava.jar | ptyadmin:ptyadmin | 640 | Read‑only access for AP Java users. |
sdk/java/lib/jcorelite.plm | ptyadmin:ptyadmin | 640 | Native library used by the SDK runtime. |
sdk/java/data/ | ptyadmin:ptyadmin | 750 | SDK configuration directory. |
sdk/java/data/config.ini | ptyadmin:ptyadmin | 640 | SDK configuration file. Read‑only access for AP Java users. |
RPAgent
| Path | Owner:Group | Mode | Notes |
|---|---|---|---|
rpagent/ | ptyadmin:ptyadmin | 755 | Allows read and execute access without exposing writable permissions. |
rpagent/bin/rpagent | ptyadmin:ptyadmin | 750 | RPAgent runtime binary. |
rpagent/bin/rpagentctrl | ptyadmin:ptyadmin | 750 | RPAgent control script. |
rpagent/data/rpagent.cfg | ptyadmin:ptyadmin | 640 | RPAgent configuration file. |
Log Forwarder
| Path | Owner:Group | Mode | Notes |
|---|---|---|---|
logforwarder/ | ptyadmin:ptyadmin | 755 | Allows read and execute access without write permissions. |
logforwarder/bin/fluent-bit | ptyadmin:ptyadmin | 750 | Log Forwarder runtime binary. |
logforwarder/bin/logforwarderctrl | ptyadmin:ptyadmin | 750 | Log Forwarder control script. |
logforwarder/data/logforwarder.conf | ptyadmin:ptyadmin | 640 | Log Forwarder configuration file. |
Feedback
Was this page helpful?