Steam user not correctly set, multiple administrators not possible

[Tahvohck]

Context:

• Full User steam controls access to steamcmd. As much as possible, it is isolated from the rest of the system. This is mostly set up this way because that's how steamcmd suggests it. It does mean that while the command isn't globally installed, it's still "centrally" installed.
• System User serv-ark controls the ark system and nothing else. As much as possible, it is isolated from the rest of the system. For security reasons, it is not even able to update the server itself.
• Server admins are part of the serverctl group. They have access to steam's user folder and /srv/ark-server/. They are the users that have permission to change the server core files.
• I'm running the server out of /srv/ark-server, this is where all ark files are installed. It is owned by serv-ark:serverctl. It has the setgid flag (-s-) so that files created in it stay owned by serverctl.

When managing things manually, this worked pretty well. Server admins updated the game, then started a systemd unit file that started the server, switching to serv-ark:serverctl and setting the working directory in the process. The only permission they needed was to start the unit file (a specific line in sudoers). The server is never run as a user with more permissions than it needs, and it can't interact with any other steam servers I run.

With ark-server-tools, I'm having problems getting this setup to work. If I run the command as serv-ark this happens:

$ sudo -u serv-ark `which arkmanager` status
/usr/local/bin/arkmanager: line 217: cd: /home/serv-ark: No such file or directory
[  ERROR  ]     Your SteamCMD exec could not be found.
Running command 'status' for instance 'main'
[  ERROR  ]     Your SteamCMD exec could not be found.
 Server running:   No
 Server listening:   No
 Server build ID:   2964722
 Server version:   281.110

Start runs basically the same, but status gives a good example. There are a couple of issues I'm hitting here.

1. As a system user, serv-ark has no home directory. I didn't previously need one, so I'm not sure why ark-server-tools needs it.
2. I assume steamcmd is used so that updates can be checked for on startup, but it can't do this because serv-ark doesn't have permission to do that. Also, I have autoupdate on start turned off. It also does this on shutdown, which I can see no reason for. With that said, shouldn't it be running as steamcmd_user anyway, based on the config files?
3. If I ran arkmanager as any other user first, the log files can't be updated. It should probably make the files with the same permissions as the log directory.
4. I have to jump hoops just to get serv-ark to run the program because /usr/local/bin isn't in a system user's PATH. That's... minor, but annoying.

If I run the server as a member of serverctl, because they have permission to run steamcmd everything seems to work fine. This is basically the same as current "intended" usage. The only problem is that the server is then run as them. If another administrator were to log in, they wouldn't be able to meaningfully interact with the server. They can't stop it, status returns incorrect information, they can't even start their own server because the port is bound already.

---

Thankfully, writing this up allowed me to rubber-duck the situation, so any of the other problems are eliminated. It's also gotten pretty long, so I apologize if it's rambling. With that said, I propose the following changes to operation:

1. The steamcmd_user is completely removed from the configuration. It's assumed that if you can run arkmanager, you have the right permissions to run steamcmd.sh.
2. Replace it with a server daemon user. In global installation mode, this is defaulted to steam, but still configurable. In single-user installations it's defaulted to the installing user (--me syntax should still work here)
3. If the script is running a 'management' command, it continues as normal. Managing users are assumed to have write permission to the install directory. Maybe they're assumed to have write permission to the log files too, to prevent exposing the logging API via the script and minimize the number of child processes.
4. If the script is running a 'server' command, the first thing it does after parsing arguments and loading settings is to immediately fork to the server daemon user and exit. The child arkmanager is no longer assumed to have write access to the core server files, and it does not attempt to change away from the installation directory. It is assumed to have write permission to the log directory. The only sudo permission administrators need is permission to run sudo arkmanager

Under this flow, a user running the server as themselves would notice no change. sudo to yourself is allowed without any configuration, and the script continues as normal. Users running the server in a restricted sandbox would still be able to configure the server, download updates, and set up cron jobs, but would run the server itself as the sandboxed user.

[klightspeed]

Server admins are part of the serverctl group. They have access to steam's user folder and /srv/ark-server/. They are the users that have permission to change the server core files.

The ARK server changes the permissions on its config files etc. to 0600 (u=rw,go-rwx) on starting, so the script would need to change the permissions back to whatever configured permissions you want.

I'm running the server out of /srv/ark-server, this is where all ark files are installed. It is owned by serv-ark:serverctl. It has the setgid flag (-s-) so that files created in it stay owned by serverctl.

The setgid bit only ensures files are created with the specified group. It does not ensure that the group permission bits are not changed by the file's owner.

As a system user, serv-ark has no home directory. I didn't previously need one, so I'm not sure why ark-server-tools needs it.

The directory the command runs in needs to be accessible, as otherwise some commands have been seen to fail.

I assume steamcmd is used so that updates can be checked for on startup, but it can't do this because serv-ark doesn't have permission to do that. Also, I have autoupdate on start turned off. It also does this on shutdown, which I can see no reason for. With that said, shouldn't it be running as steamcmd_user anyway, based on the config files?

steamcmd_user is currently used when the script is run as root, and to determine whether or not to use sudo when performing a tools upgrade.

The warnings are from sanity checks that are performed during script startup.

If I ran arkmanager as any other user first, the log files can't be updated. It should probably make the files with the same permissions as the log directory.

Non-root users cannot set the owner of files or directories without the CAP_CHOWN capability. The default permissions of the log files are determined by the umask of the running user.

I have to jump hoops just to get serv-ark to run the program because /usr/local/bin isn't in a system user's PATH. That's... minor, but annoying.

https://www.tldp.org/LDP/Linux-Filesystem-Hierarchy/html/usr.html

Locally installed software must be placed within /usr/local rather than /usr unless it is being installed to replace or upgrade software in /usr.

If you wanted to install the software into /usr/bin, then the install-time --prefix=/usr option can be used. Giving install.sh the --help argument will show what options are available. Such options are also passed through the net installer.

If the script is running a 'server' command, the first thing it does after parsing arguments and loading settings is to immediately fork to the server daemon user and exit. The child arkmanager is no longer assumed to have write access to the core server files, and it does not attempt to change away from the installation directory. It is assumed to have write permission to the log directory. The only sudo permission administrators need is permission to run sudo arkmanager

By server command, I assume you mean commands such as run?

The ARK server (i.e. ShooterGameServer) needs read access to its own files, and write access to its Saved directory. If write access is not granted to e.g. its GameUserSettings.ini file, then RCON commands that set server variables (such as the MOTD) will not persist over restarts.

If -automanagedmods is used, then the ARK server will also run steamcmd installed in its Engine/Binaries/ThirdParty/SteamCMD/Linux directory, and that requires a valid home directory.

PR #971 adds options to set the directory into which arkmanager will switch, and to set the user under which the game server runs.

[Tahvohck]

I think that PR #971 will solve the major issues I was having. The big reason I opened an issue instead of trying to tweak the code myself was the assumption you knew the code better and knew a more efficient way to solve it. I'm glad that was the case. :P
For the rest, in order:

• Permissions: Yeah. Log files especially are a pain about this, because the ShooterGameServer specifically creates them with restricted permissions. Likewise for the actual save games, but this is an "issue" with the server itself and not the arkmanager tools. That said, I've got workarounds for it already.
• SetGID: This is true. However, the majority of the server files do not have permissions changed. Beyond that, they definitely don't have their group changed, and that's good enough for multi-admin operation.
• Home directory: Fair enough. I suggest this be disabled on global installs, a sanity check added, or, if no files need to actually be created here, just switch to / Moot point. serverbasedir allows this.
• steamcmd_user: fair enough. I thought I saw that the script refuses to run as root.
• Warnings: also fair. It may be better if these were warnings instead? Errors imply fatal (which it will obviously be if it tries to run an actual steam command)
• Log directory: I'll set the setGID bit here as well then. That should probably happen during the installation, if it's being installed globably.
• /usr/local: Yeah. I'm a big fan of following the hierarchy, that was just a complaint. This is also fixed by PR Add options to set working directory and server user #971 since I no longer need to run arkmanager as the user that will be running the server.
• "Server" commands: I did mean that, yes. Run, start, stop, I think would be the only three. I'm also okay with the server itself changing its configuration files, I meant the arkmanager script assuming that it couldn't. That's a moot point with Add options to set working directory and server user #971 now though.

[Romaq]

I have a setup that has me happy having cluster files saved to /home/steam/copper (the cluster name). My intent is to allow *.ark to be read by a trusted user so he can skim the latest copy of the *.ark file for use with Ark Smart Breeding. Unfortunately, I have the following problem with the group permissions:

-rw------- 1 steam steam 48M Mar 6 07:13 Ragnarok.ark
-rw------- 1 steam steam 18M Mar 6 07:09 ScorchedEarth_P.ark
-rw-rw-r-- 1 steam steam 38M Feb 11 17:17 TheIsland.ark
steam@headless:~/copper$

The only reason "TheIsland.ark" isn't set g-rw yet is the instance hasn't saved to that copy coming from my Windows machine FTP backup. Once the new TheIsland.ark is written, I'll lose it to go-rw.

"The default permissions of the log files are determined by the umask of the running user." is mentioned in this thread. "$touch test" by user steam gets me the expected -rw-rw-r-- permissions. So "somewhere" the umask is being changed. How may I have "umask u=rw,g=r,o=" for *.ark file writing? My hope is to add my friend to the steam group, allow him to read the data via sftp, and neither one of us have to worry about potential harm to the *.ark data.

[klightspeed]

The *.ark files are written by the server itself, and the script would need to monitor the directory and update the permissions on the updated ark file after it is written.

From a strace I did a while ago:

29240 00:39:46.456684 [00007fbbfa84f95d] open("${ROOT}/ShooterGame/Saved/SavedArks/TheIsland.tmp", O_WRONLY|O_CREAT|O_CLOEXEC, 0600) = 16
29240 00:39:46.456738 [00007fbbf9733297] flock(16, LOCK_EX|LOCK_NB) = 0
29240 00:39:46.456770 [00007fbbf973a167] ftruncate(16, 0) = 0
29240 00:39:46.456816 [00007fbbf97327d4] fstat(16, {st_mode=S_IFREG|0600, st_size=0, ...}) = 0
29240 00:39:46.456849 [00007fbbfa84f1ed] write(16, "\5\0\2577\310IX\0\0\0\n\0\0\0TheIsland\0\v\0\0\0B4_F"..., 1048576) = 1048576
...
29240 00:39:48.651177 [00007fbbfa84f1ed] write(16, "ocation\0\17\0\0\0StructProperty\0\f\0\0\0\0"..., 293794) = 293794
29240 00:39:48.662113 [00007fbbfa84f2ad] close(16) = 0
29240 00:39:48.662177 [00007fbbf9732b67] mkdir("${ROOT}/ShooterGame/Binaries", 0755) = -1 EEXIST (File exists)
29240 00:39:48.662227 [00007fbbf9732785] stat("${ROOT}/ShooterGame/Binaries", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
29240 00:39:48.662271 [00007fbbf9732b67] mkdir("${ROOT}/ShooterGame", 0755) = -1 EEXIST (File exists)
29240 00:39:48.662309 [00007fbbf9732785] stat("${ROOT}/ShooterGame", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
29240 00:39:48.662353 [00007fbbf9732b67] mkdir("${ROOT}", 0755) = -1 EEXIST (File exists)
29240 00:39:48.662401 [00007fbbf9732785] stat("${ROOT}", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
29240 00:39:48.662445 [00007fbbf9732b67] mkdir("${ROOT}/ShooterGame", 0755) = -1 EEXIST (File exists)
29240 00:39:48.662485 [00007fbbf9732785] stat("${ROOT}/ShooterGame", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
29240 00:39:48.662532 [00007fbbf9732b67] mkdir("${ROOT}/ShooterGame/Saved", 0755) = -1 EEXIST (File exists)
29240 00:39:48.662572 [00007fbbf9732785] stat("${ROOT}/ShooterGame/Saved", {st_mode=S_IFDIR|0775, st_size=4096, ...}) = 0
29240 00:39:48.662625 [00007fbbf9732b67] mkdir("${ROOT}/ShooterGame/Saved/SavedArks", 0755) = -1 EEXIST (File exists)
29240 00:39:48.662666 [00007fbbf9732785] stat("${ROOT}/ShooterGame/Saved/SavedArks", {st_mode=S_IFDIR|0775, st_size=4096, ...}) = 0
29240 00:39:48.662707 [00007fbbf9732785] stat("${ROOT}/ShooterGame/Saved/SavedArks", {st_mode=S_IFDIR|0775, st_size=4096, ...}) = 0
29240 00:39:48.662751 [00007fbbf9732785] stat("${ROOT}/ShooterGame/Saved/SavedArks/TheIsland.ark", {st_mode=S_IFREG|0600, st_size=29652264, ...}) = 0
29240 00:39:48.662794 [00007fbbf9734517] unlink("${ROOT}/ShooterGame/Saved/SavedArks/TheIsland.ark") = 0
29240 00:39:49.065012 [00007fbbf96bf0c7] rename("${ROOT}/ShooterGame/Saved/SavedArks/TheIsland.tmp", "${ROOT}/ShooterGame/Saved/SavedArks/TheIsland.ark") = 0

The first line shows the server creating the new temporary file with mode 0600 (i.e. u+rw), and the last line shows it renaming it over the ark file.

In this, TID 29240 is a thread within the server process:

29200 00:20:56.383058 [00007fc17e3717d7] execve("./arkmanager", ["./arkmanager", "start"], [/* 44 vars */]) = 0
29200 00:20:56.617317 [00007f11a9a314d4] clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7f11aa3dd9d0) = 29207
29207 00:20:56.642178 [00007f11a9a314d4] clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7f11aa3dd9d0) = 29212
29212 00:20:56.642685 [00007f11a9a317d7] execve("/bin/env", ["env", "-i", ...], [/* 43 vars */]) = 0
29212 00:20:56.643821 [00007fda1a3217d7] execve("${ROOT}/ShooterGame/Binaries/Linux/ShooterGameServer", [/* 2 args */], [/* 0 vars */]) = 0
29212 00:21:02.372185 [00007fbbf973f8b1] clone(child_stack=0x7fbbf9614f70, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tidptr=0x7fbbf96169d0, tls=0x7fbbf9616700, child_tidptr=0x7fbbf96169d0) = 29240

The server also sets mode 0600 when writing a new profile or tribe file.

29240 00:39:33.677622 [00007fbbfa84f95d] open("${ROOT}/ShooterGame/Saved/SavedArks/${steamid}.tmprofile", O_WRONLY|O_CREAT|O_CLOEXEC, 0600) = 17
29240 00:39:33.895421 [00007fbbf9733297] flock(17, LOCK_EX|LOCK_NB) = 0
29240 00:39:33.895479 [00007fbbf973a167] ftruncate(17, 0) = 0
29240 00:39:33.895552 [00007fbbf973b877] mprotect(0x7fbb84021000, 8192, PROT_READ|PROT_WRITE) = 0
29240 00:39:33.895612 [00007fbbf973b877] mprotect(0x7fbb84023000, 8192, PROT_READ|PROT_WRITE) = 0
29240 00:39:33.895678 [00007fbbf97327d4] fstat(17, {st_mode=S_IFREG|0600, st_size=0, ...}) = 0
29240 00:39:33.895736 [00007fbbfa84f1ed] write(17, "\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0Prim"..., 13691) = 13691
29240 00:39:34.154420 [00007fbbfa84f2ad] close(17) = 0
29240 00:39:34.154566 [00007fbbf9732785] stat("${ROOT}/ShooterGame/Saved/SavedArks/${steamid}.arkprofile", {st_mode=S_IFREG|0600, st_size=13691, ...}) = 0
29240 00:39:34.154656 [00007fbbf9732a77] chmod("${ROOT}/ShooterGame/Saved/SavedArks/${steamid}.arkprofile", 0100600) = 0
29240 00:39:34.154755 [00007fbbf9732b67] mkdir("${ROOT}/ShooterGame/Binaries", 0755) = -1 EEXIST (File exists)
29240 00:39:34.154812 [00007fbbf9732785] stat("${ROOT}/ShooterGame/Binaries", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
29240 00:39:34.154874 [00007fbbf9732b67] mkdir("${ROOT}/ShooterGame", 0755) = -1 EEXIST (File exists)
29240 00:39:34.154933 [00007fbbf9732785] stat("${ROOT}/ShooterGame", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
29240 00:39:34.155013 [00007fbbf9732b67] mkdir("${ROOT}", 0755) = -1 EEXIST (File exists)
29240 00:39:34.155072 [00007fbbf9732785] stat("${ROOT}", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
29240 00:39:34.155152 [00007fbbf9732b67] mkdir("${ROOT}/ShooterGame", 0755) = -1 EEXIST (File exists)
29240 00:39:34.155219 [00007fbbf9732785] stat("${ROOT}/ShooterGame", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
29240 00:39:34.155288 [00007fbbf9732b67] mkdir("${ROOT}/ShooterGame/Saved", 0755) = -1 EEXIST (File exists)
29240 00:39:34.155337 [00007fbbf9732785] stat("${ROOT}/ShooterGame/Saved", {st_mode=S_IFDIR|0775, st_size=4096, ...}) = 0
29240 00:39:34.155393 [00007fbbf9732b67] mkdir("${ROOT}/ShooterGame/Saved/SavedArks", 0755) = -1 EEXIST (File exists)
29240 00:39:34.155443 [00007fbbf9732785] stat("${ROOT}/ShooterGame/Saved/SavedArks", {st_mode=S_IFDIR|0775, st_size=4096, ...}) = 0
29240 00:39:34.155493 [00007fbbf9732785] stat("${ROOT}/ShooterGame/Saved/SavedArks", {st_mode=S_IFDIR|0775, st_size=4096, ...}) = 0
29240 00:39:34.155549 [00007fbbfa84f95d] open("${ROOT}/ShooterGame/Saved/SavedArks/${steamid}.tmprofile", O_RDONLY) = 17
29240 00:39:34.155592 [00007fbbf97327d4] fstat(17, {st_mode=S_IFREG|0600, st_size=13691, ...}) = 0
29240 00:39:34.155647 [00007fbbf9732785] stat("${ROOT}/ShooterGame/Saved/SavedArks/${steamid}.arkprofile", {st_mode=S_IFREG|0600, st_size=13691, ...}) = 0
29240 00:39:34.155702 [00007fbbfa84f95d] open("${ROOT}/ShooterGame/Saved/SavedArks/${steamid}.arkprofile", O_WRONLY|O_CREAT|O_CLOEXEC, 0600) = 22
29240 00:39:34.155743 [00007fbbf9733297] flock(22, LOCK_EX|LOCK_NB) = 0
29240 00:39:34.155781 [00007fbbf973a167] ftruncate(22, 0) = 0
29240 00:39:34.283889 [00007fbbfa84f24d] read(17, "\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0Prim"..., 13691) = 13691
29240 00:39:34.283935 [00007fbbfa84f1ed] write(22, "\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0Prim"..., 13691) = 13691
29240 00:39:34.284032 [00007fbbfa84f2ad] close(22) = 0
29240 00:39:34.284075 [00007fbbfa84f2ad] close(17) = 0
29240 00:39:34.366621 [00007fbbf9732e77] access("${ROOT}/ShooterGame/Saved/SavedArks/${steamid}.tmprofile", F_OK) = 0
29240 00:39:34.366697 [00007fbbf9732e77] access("${ROOT}/ShooterGame/Saved/SavedArks/${steamid}.tmprofile", W_OK) = 0
29240 00:39:34.366749 [00007fbbf9732785] stat("${ROOT}/ShooterGame/Saved/SavedArks/${steamid}.arkprofile", {st_mode=S_IFREG|0600, st_size=13691, ...}) = 0
29240 00:39:34.366801 [00007fbbf9732a77] chmod("${ROOT}/ShooterGame/Saved/SavedArks/${steamid}.arkprofile", 0100600) = 0
29240 00:39:34.366859 [00007fbbf9732785] stat("${ROOT}/ShooterGame/Saved/SavedArks/${steamid}.tmprofile", {st_mode=S_IFREG|0600, st_size=13691, ...}) = 0
29240 00:39:34.403542 [00007fbbf9734517] unlink("${ROOT}/ShooterGame/Saved/SavedArks/${steamid}.tmprofile") = 0

29240 00:47:10.841363 [00007fbbfa84f95d] open("${ROOT}/ShooterGame/Saved/SavedArks/${tribeid}.tmptribe", O_WRONLY|O_CREAT|O_CLOEXEC, 0600) = 17
29240 00:47:10.910829 [00007fbbf9733297] flock(17, LOCK_EX|LOCK_NB) = 0
29240 00:47:10.910877 [00007fbbf973a167] ftruncate(17, 0) = 0
29240 00:47:10.910940 [00007fbbfa84ef9c] futex(0x7fbbfabfc0f8, FUTEX_WAIT_PRIVATE, 2, NULL) = -1 EAGAIN (Resource temporarily unavailable)
29240 00:47:10.910993 [00007fbbfa84f03a] futex(0x7fbbfabfc0f8, FUTEX_WAKE_PRIVATE, 1) = 0
29240 00:47:10.941264 [00007fbbfa84f03a] futex(0x7fbbfabfc020, FUTEX_WAKE_PRIVATE, 1) = 0
29240 00:47:10.941348 [00007fbbf97327d4] fstat(17, {st_mode=S_IFREG|0600, st_size=0, ...}) = 0
29240 00:47:10.941403 [00007fbbfa84f1ed] write(17, "\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0Prim"..., 585) = 585
29240 00:47:10.957969 [00007fbbfa84f2ad] close(17) = 0
29240 00:47:10.958035 [00007fbbf9732785] stat("${ROOT}/ShooterGame/Saved/SavedArks/${tribeid}.arktribe", {st_mode=S_IFREG|0600, st_size=585, ...}) = 0
29240 00:47:10.958125 [00007fbbf9732a77] chmod("${ROOT}/ShooterGame/Saved/SavedArks/${tribeid}.arktribe", 0100600) = 0
29240 00:47:10.958176 [00007fbbf9732b67] mkdir("${ROOT}/ShooterGame/Binaries", 0755) = -1 EEXIST (File exists)
29240 00:47:10.958218 [00007fbbf9732785] stat("${ROOT}/ShooterGame/Binaries", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
29240 00:47:10.958268 [00007fbbf9732b67] mkdir("${ROOT}/ShooterGame", 0755) = -1 EEXIST (File exists)
29240 00:47:10.958306 [00007fbbf9732785] stat("${ROOT}/ShooterGame", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
29240 00:47:10.958351 [00007fbbf9732b67] mkdir("${ROOT}", 0755) = -1 EEXIST (File exists)
29240 00:47:10.958389 [00007fbbf9732785] stat("${ROOT}", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
29240 00:47:10.958447 [00007fbbf9732b67] mkdir("${ROOT}/ShooterGame", 0755) = -1 EEXIST (File exists)
29240 00:47:10.958487 [00007fbbf9732785] stat("${ROOT}/ShooterGame", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
29240 00:47:10.958531 [00007fbbf9732b67] mkdir("${ROOT}/ShooterGame/Saved", 0755) = -1 EEXIST (File exists)
29240 00:47:10.958570 [00007fbbf9732785] stat("${ROOT}/ShooterGame/Saved", {st_mode=S_IFDIR|0775, st_size=4096, ...}) = 0
29240 00:47:10.958616 [00007fbbf9732b67] mkdir("${ROOT}/ShooterGame/Saved/SavedArks", 0755) = -1 EEXIST (File exists)
29240 00:47:10.958656 [00007fbbf9732785] stat("${ROOT}/ShooterGame/Saved/SavedArks", {st_mode=S_IFDIR|0775, st_size=4096, ...}) = 0
29240 00:47:10.958697 [00007fbbf9732785] stat("${ROOT}/ShooterGame/Saved/SavedArks", {st_mode=S_IFDIR|0775, st_size=4096, ...}) = 0
29240 00:47:10.958741 [00007fbbfa84f95d] open("${ROOT}/ShooterGame/Saved/SavedArks/${tribeid}.tmptribe", O_RDONLY) = 17
29240 00:47:10.958777 [00007fbbf97327d4] fstat(17, {st_mode=S_IFREG|0600, st_size=585, ...}) = 0
29240 00:47:10.958818 [00007fbbf9732785] stat("${ROOT}/ShooterGame/Saved/SavedArks/${tribeid}.arktribe", {st_mode=S_IFREG|0600, st_size=585, ...}) = 0
29240 00:47:10.958864 [00007fbbfa84f95d] open("${ROOT}/ShooterGame/Saved/SavedArks/${tribeid}.arktribe", O_WRONLY|O_CREAT|O_CLOEXEC, 0600) = 25
29240 00:47:10.958896 [00007fbbf9733297] flock(25, LOCK_EX|LOCK_NB) = 0
29240 00:47:10.958926 [00007fbbf973a167] ftruncate(25, 0) = 0
29240 00:47:10.998356 [00007fbbfa84f24d] read(17, "\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0Prim"..., 585) = 585
29240 00:47:10.998395 [00007fbbfa84f1ed] write(25, "\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0Prim"..., 585) = 585
29240 00:47:10.998445 [00007fbbfa84f2ad] close(25) = 0
29240 00:47:10.998477 [00007fbbfa84f2ad] close(17) = 0
29240 00:47:10.998519 [00007fbbf9732e77] access("${ROOT}/ShooterGame/Saved/SavedArks/${tribeid}.tmptribe", F_OK) = 0
29240 00:47:10.998571 [00007fbbf9732e77] access("${ROOT}/ShooterGame/Saved/SavedArks/${tribeid}.tmptribe", W_OK) = 0
29240 00:47:10.998613 [00007fbbf9732785] stat("${ROOT}/ShooterGame/Saved/SavedArks/${tribeid}.arktribe", {st_mode=S_IFREG|0600, st_size=585, ...}) = 0
29240 00:47:10.998659 [00007fbbf9732a77] chmod("${ROOT}/ShooterGame/Saved/SavedArks/${tribeid}.arktribe", 0100600) = 0
29240 00:47:10.998706 [00007fbbf9732785] stat("${ROOT}/ShooterGame/Saved/SavedArks/${tribeid}.tmptribe", {st_mode=S_IFREG|0600, st_size=585, ...}) = 0
29240 00:47:10.998750 [00007fbbf9734517] unlink("${ROOT}/ShooterGame/Saved/SavedArks/${tribeid}.tmptribe") = 0

The important bits are:

open("${ROOT}/ShooterGame/Saved/SavedArks/TheIsland.tmp", O_WRONLY|O_CREAT|O_CLOEXEC, 0600) = 16
open("${ROOT}/ShooterGame/Saved/SavedArks/${steamid}.tmprofile", O_WRONLY|O_CREAT|O_CLOEXEC, 0600) = 17
open("${ROOT}/ShooterGame/Saved/SavedArks/${steamid}.arkprofile", O_WRONLY|O_CREAT|O_CLOEXEC, 0600) = 22
chmod("${ROOT}/ShooterGame/Saved/SavedArks/${steamid}.arkprofile", 0100600) = 0
open("${ROOT}/ShooterGame/Saved/SavedArks/${tribeid}.tmptribe", O_WRONLY|O_CREAT|O_CLOEXEC, 0600) = 17
open("${ROOT}/ShooterGame/Saved/SavedArks/${tribeid}.arktribe", O_WRONLY|O_CREAT|O_CLOEXEC, 0600) = 25
chmod("${ROOT}/ShooterGame/Saved/SavedArks/${tribeid}.arktribe", 0100600) = 0

[Romaq]

UGH! I was afraid of that. Time for yet another nasty-gram to the Ark Devs that make this crap up. I'm installing the Valheim server without even purchasing the game just to see how it goes. I love the work you are doing here, it's important work for us to be enjoying Ark on a LAN Linux host. But you shouldn't have to do this, or as much of it. Ark server should have been better written, and "clustering" shouldn't even be a 'thing' except very special "dragons be here" circumstances. Thanks for the response, we'll live with access to the steam user because it's the path of least resistance. Making a sticky-bit script to chown the file isn't on my list of things to do. >:(