Re: [systemd-devel] Best way to limit per-user system-wide units

Okay so after mucking around a bit more, I was wondering if the most logical way to solve this problem would be to edit /etc/pam.d/sudo to add pam_systemd.so - would this work? I tried it and couldn't get it to do anything meaningful, but TBH PAM is not my area of expertise. On 14 December 2016

Re: [systemd-devel] Best way to limit per-user system-wide units

Okay, so tried some more things. $ sudo su - http env This account is currently not available. That's because the user has nologin set as the shell. So, does that mean it's impossible to use systemctl --user ? On 14 December 2016 at 13:13, Samuel Williams

Re: [systemd-devel] Best way to limit per-user system-wide units

Its unfortunately common for popular software to have CVEs, it's a sign of an overall healthy environment I think. In any case my original point still stands, regarding formal verification. But that's not the main issue here so let's not get sidetracked :)

Re: [systemd-devel] Best way to limit per-user system-wide units

Am 14.12.2016 um 00:08 schrieb Samuel Williams: Well, given I opened the PR, I'd hope the chance is very low -- at least, no more than sudo. Sudo verifies the configuration using a regular language. It doesn't mean you can't shoot yourself in the foot, but it makes it pretty damn hard.

Re: [systemd-devel] Best way to limit per-user system-wide units

> Well, given I opened the PR, I'd hope the chance is very low -- at least, no > more than sudo. Sudo verifies the configuration using a regular language. It doesn't mean you can't shoot yourself in the foot, but it makes it pretty damn hard. JavaScript on the other hand.. a logic bug or error

Re: [systemd-devel] Best way to limit per-user system-wide units

On Wed, 14 Dec 2016, Samuel Williams wrote: [...] The nice thing about sudo is that it is a general framework that is well tested, well documented, and works everywhere... polkit, less so. Even with the best of intentions, looking at how well people have managed to script security features (e.g.

Re: [systemd-devel] Best way to limit per-user system-wide units

So, I was playing around with sudo and found the following: % env | grep XDG XDG_SESSION_ID=4 XDG_RUNTIME_DIR=/run/user/1000 % sudo -u http env | grep XDG ... nothing... Found this: http://stackoverflow.com/questions/28809235/how-to-get-xdg-variables-with-sudo Of course, using a login shell

Re: [systemd-devel] Best way to limit per-user system-wide units

> Putting aside the issue of having users link their own units into the system > configuration -- as pointed out else in this thread, that comes with a *lot* > of security issues -- you don't even need sudo or su to allow users to > control system units. You are absolutely correct. The users

Re: [systemd-devel] Best way to limit per-user system-wide units

Reindl, thanks for your continued help. > what *exact* problem are you trying to solve - don#t come with the solution > "doing that as systemd-unit" - explain the problem what you are trying to > solve not the solution you think is good! Okay, our website deployment process is something like

Re: [systemd-devel] Best way to limit per-user system-wide units

On Wed, 14 Dec 2016, Samuel Williams wrote: Reindl, I understand where you are coming from, but I'm not sure I understand what the alternative you are proposing is, are you suggesting I use su? Putting aside the issue of having users link their own units into the system configuration -- as

Re: [systemd-devel] Best way to limit per-user system-wide units

Am 13.12.2016 um 22:48 schrieb Samuel Williams: Reindl, I understand where you are coming from, but I'm not sure I understand what the alternative you are proposing is, are you suggesting I use su? su -c "whatever" - user at least preserves the environement i still don't get what your

Re: [systemd-devel] Best way to limit per-user system-wide units

Reindl, I understand where you are coming from, but I'm not sure I understand what the alternative you are proposing is, are you suggesting I use su? On 14 December 2016 at 10:45, Reindl Harald wrote: > > > Am 13.12.2016 um 22:40 schrieb Samuel Williams: >> >> Reindl,

Re: [systemd-devel] Best way to limit per-user system-wide units

Reindl, thanks for your ideas. So, I log in as me "bob", but I want to run a task as http, e.g. sudo -u http git checkout -f What do you propose as the alternative? On 14 December 2016 at 09:49, Reindl Harald wrote: > > > Am 13.12.2016 um 21:41 schrieb Samuel Williams:

Re: [systemd-devel] Best way to limit per-user system-wide units

Am 13.12.2016 um 21:41 schrieb Samuel Williams: I wanted to use systemd --user but had trouble getting it to run via sudo- seemed like the environment wasn't getting set up correctly. Any ideas? get rid of sudo and re-consider everything where you are using sudo/su

Re: [systemd-devel] Best way to limit per-user system-wide units

I wanted to use systemd --user but had trouble getting it to run via sudo- seemed like the environment wasn't getting set up correctly. Any ideas? ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org

Re: [systemd-devel] Best way to limit per-user system-wide units

On Wed, Dec 14, 2016 at 01:23:14AM +1300, Samuel Williams wrote: > I'd like my http user to be able to install unit files and start/stop them. > > Starting and stopping them is fairly easy with a sudo rule.. > > But adding them is a bit trickier. I could also use sudo but it seems > fairly

Re: [systemd-devel] Best way to limit per-user system-wide units

I will explore using link further. However, in some cases the behaviour is hard to leverage. I'm using foreman to generate systemd files. If I remove an existing target, it will be hard to replicate this.. unless I trash everything before re-linking everything. It's not a very elegant solution.

Re: [systemd-devel] Best way to limit per-user system-wide units

On Tue, Dec 13, 2016 at 3:52 PM, Samuel Williams wrote: > Hmm, so my local units directory contains business_development.target > which contains > > Wants=business_development-resque-worker-high-priority.target > business_development-resque-worker.target > > But

Re: [systemd-devel] Best way to limit per-user system-wide units

Before I got to bed. It seems like it would make the most sense for me to be able to namespace unit files. e.g. make a directory such as /etc/systemd/system/http and give that directory suitable permissions. Then, it's simpler to blow away all targets/services in that directory if I need to

Re: [systemd-devel] Best way to limit per-user system-wide units

Hmm, so my local units directory contains business_development.target which contains Wants=business_development-resque-worker-high-priority.target business_development-resque-worker.target But when using systemctl link, neither of these get installed correctly (and no warning is given when

Re: [systemd-devel] Best way to limit per-user system-wide units

Thanks Andrei, this is something I will explore. Will this work well if I have targets which have multiple dependencies? i.e. can I just link the top level target? On 14 December 2016 at 01:36, Andrei Borzenkov wrote: > On Tue, Dec 13, 2016 at 3:23 PM, Samuel Williams >

Re: [systemd-devel] Best way to limit per-user system-wide units

On Tue, Dec 13, 2016 at 3:23 PM, Samuel Williams wrote: > I'd like my http user to be able to install unit files and start/stop them. > > Starting and stopping them is fairly easy with a sudo rule.. > > But adding them is a bit trickier. I could also use sudo but