OK, “in some occasions” write permissions are needed. If the normal application life does not require write permissions, could they be granted only during the install/upgrade, and revoked thereafter?
What are you thinking about?
I ran an experiment by adding apache to ws1, shared folder owner. The commands are:
# lgroupmod -M apache ws1
# getent group ws1
ws1:*:5000:admin,apache
Restarted httpd, to update process privileges. Now apache has write access to the shared folder.
The limitation is: if ws1 changes apache is removed from the list. An action could be written to make the change persistent. I’m planning to overtake this limitation in future versions of the Groups module.