I'm using Ansible for setting up a remote server and I'm using SSH agent forwarding to git clone a repository from bitbucket.org to use my local SSH key, because I'm using sudo I'm preserving the SSH_AUTH_SOCK environment variable using a file in /etc/sudoers.d/ directory which contains:

Defaults env_keep += SSH_AUTH_SOCK

Which indeed is making this environment variable available when using sudo, the problem is when I want to clone as another user web that doesn't have permission to access the socket file available at SSH_AUTH_SOCK.

Currently I'm setting the ownership of the socket directory recursively for this user so I don't give 0777 permissions for the socket file.

$ ls -l /tmp
drwx------  2 web web 4096 Aug  7 09:09 ssh-PcIG22W1CM

All of this is done using Ansible but I'm not sharing Ansible code as this issue applies to any other situation.

Is it better to use a symbolic link ? if not what is the best practice to share this socket file without giving rwx for everyone ?