Appendix - Application Permissions
- Last Updated: May 13, 2026
- 1 minute read
- Semaphore
- Documentation
In most installations of Semaphore the default permissions set during installation are sufficient for operation of the product, however, there may be particular configurations that may require permissions be set specifically for the various Semaphore components. The following standard users are created during a normal Linux install of the product:
- sem_cs - Service account for Classification Server
- semaphore - Service account for Studio and Semantic Enhancement Server
These users are both members of the “semaphore” group. It is important that when executing the various Semaphore applications that they execute as the appropriate user (for example, using “su - <user> <command>”) otherwise files may be created with permissions for the user executing the command but not suitable for the Semaphore application to execute normally as a service.
The following table indicates those components (and associated users from above) that require the given access to the directory indicated for any user executing/using the application:
| Directory | Classification Server | Semantic Enhancement Server | Studio |
|---|---|---|---|
| /var/opt/semaphore/run/ (pid files) | Read/Write | ||
| (Environment Variable Path) SEMAPHORE_WORKBENCH_HOME | Read/Write |
Permissions indicated should be set for the given directories and all sub-directories. The product installers will set the permissions for their service users so that all products will have at least:
- “read” access to their own installation directories (normally under “/opt/semaphore”)
- “read” access to their own configuration directories (normally under “/etc/opt/semaphore”), and,
- “read/write” access to their own data directories (normally under “/var/opt/semaphore”