OpenClaw Gateway Permission Configuration
Summary
This page defines the filesystem permission requirements and directory ownership rules necessary for the openclaw-gateway service to function within the Sokrates NixOS environment. It documents the transition from manual chown fixes to permanent NixOS configuration rules that ensure the openclaw user can access required state and configuration paths.
Details
The openclaw-gateway service operates as a dedicated system user, openclaw. To maintain the security boundary of the Sokrates stack while allowing the gateway to function, specific filesystem permissions must be enforced across several key directories. During the development of the sokrates-dev environment (GMKtec hardware), two primary permission conflicts were identified that prevented the service from starting or writing necessary temporary files.
Directory Traversal and /var/lib/sokrates
The root of the Sokrates state directory, /var/lib/sokrates, was initially configured in dev.nix with permissions of 0750 and ownership assigned to hakon:docker. This configuration created a traversal block: because the openclaw user was not a member of the docker group, it could not access any subdirectories within that path, even those it technically owned.
To resolve this, the architectural rule for the Sokrates state root was updated:
- Path:
/var/lib/sokrates - Permission:
0755(Allowing traversal by all users) - Ownership: Managed by the NixOS module to ensure persistence.
Periphery and Secrets Ownership
The OpenClaw gateway requires read/write access to its own state and secret directories. These are located within the Sokrates hierarchy but must be explicitly owned by the service user. The following ownership rules are enforced:
/var/lib/sokrates/peripherymust be owned recursively byopenclaw:openclaw./var/lib/sokrates/secrets/peripherymust be owned recursively byopenclaw:openclaw.
In the event of a manual reset or deployment, the following recovery commands were established, though these are now handled automatically by the Nix flake:
sudo chmod 755 /var/lib/sokrates
sudo chown -R openclaw:openclaw /var/lib/sokrates/periphery /var/lib/sokrates/secrets/periphery
sudo systemctl restart openclaw-gatewayConfiguration Write Access in /etc
A secondary issue was identified within the nix-openclaw module. While NixOS typically treats /etc as a read-only store for generated configuration files, the openclaw-gateway process attempts to write temporary files back to /etc/openclaw/.
Because the nix-openclaw module generates this directory as root-owned by default, the gateway process would fail during operation. To mitigate this without compromising the Nix store’s integrity, a systemd.tmpfiles rule was proposed for openclaw.nix to ensure that the directory ownership is correctly set to the openclaw user upon system boot and configuration switch.