I'm using Ansible for setting up a remote server and I'm using SSH agent forwarding to git clone a repository from bitbucket.org to use my local SSH key, because I'm using sudo I'm preserving the SSH_AUTH_SOCK environment variable using a file in /etc/sudoers.d/ directory which contains:

Defaults env_keep += SSH_AUTH_SOCK

Which indeed is making this environment variable available when using sudo, the problem is when I want to clone as another user web that doesn't have permission to access the socket file available at SSH_AUTH_SOCK.

Currently I'm setting the ownership of the socket directory recursively for this user so I don't give 0777 permissions for the socket file.

$ ls -l /tmp
drwx------  2 web web 4096 Aug  7 09:09 ssh-PcIG22W1CM

All of this is done using Ansible but I'm not sharing Ansible code as this issue applies to any other situation.

Is it better to use a symbolic link ? if not what is the best practice to share this socket file without giving rwx for everyone ?

I'm using Ansible for setting up a remote server and I'm using SSH agent forwarding to git clone a repository from bitbucket.org to use my local SSH key, because I'm using sudo I'm preserving the SSH_AUTH_SOCK environment variable using a file in /etc/sudoers.d/ directory which contains:

Defaults env_keep += SSH_AUTH_SOCK

Which indeed is making this environment variable available when using sudo, the problem is when I want to clone as another user web that doesn't have permission to access the socket file available at SSH_AUTH_SOCK.

Currently I'm setting the ownership of the socket directory recursively for this user so I don't give 0777 permissions for the socket file.

$ ls -l /tmp
drwx------  2 web web 4096 Aug  7 09:09 ssh-PcIG22W1CM

All of this is done using Ansible but I'm not sharing Ansible code as this issue applies to any other situation.

What is the best practice to share this socket file without giving rwx permissions for everyone ?