Okay so after mucking around a bit more, I was wondering if the most
logical way to solve this problem would be to edit /etc/pam.d/sudo to
add pam_systemd.so - would this work? I tried it and couldn't get it
to do anything meaningful, but TBH PAM is not my area of expertise.
On 14 December 2016
Okay, so tried some more things.
$ sudo su - http env
This account is currently not available.
That's because the user has nologin set as the shell.
So, does that mean it's impossible to use systemctl --user ?
On 14 December 2016 at 13:13, Samuel Williams
Its unfortunately common for popular software to have CVEs, it's a sign of
an overall healthy environment I think. In any case my original point still
stands, regarding formal verification. But that's not the main issue here
so let's not get sidetracked :)
Am 14.12.2016 um 00:08 schrieb Samuel Williams:
Well, given I opened the PR, I'd hope the chance is very low -- at least, no
more than sudo.
Sudo verifies the configuration using a regular language. It doesn't
mean you can't shoot yourself in the foot, but it makes it pretty damn
hard.
> Well, given I opened the PR, I'd hope the chance is very low -- at least, no
> more than sudo.
Sudo verifies the configuration using a regular language. It doesn't
mean you can't shoot yourself in the foot, but it makes it pretty damn
hard. JavaScript on the other hand.. a logic bug or error
On Wed, 14 Dec 2016, Samuel Williams wrote:
[...]
The nice thing about sudo is that it is a general framework that is
well tested, well documented, and works everywhere... polkit, less so.
Even with the best of intentions, looking at how well people have
managed to script security features (e.g.
So, I was playing around with sudo and found the following:
% env | grep XDG
XDG_SESSION_ID=4
XDG_RUNTIME_DIR=/run/user/1000
% sudo -u http env | grep XDG
... nothing...
Found this:
http://stackoverflow.com/questions/28809235/how-to-get-xdg-variables-with-sudo
Of course, using a login shell
> Putting aside the issue of having users link their own units into the system
> configuration -- as pointed out else in this thread, that comes with a *lot*
> of security issues -- you don't even need sudo or su to allow users to
> control system units.
You are absolutely correct. The users
Reindl, thanks for your continued help.
> what *exact* problem are you trying to solve - don#t come with the solution
> "doing that as systemd-unit" - explain the problem what you are trying to
> solve not the solution you think is good!
Okay, our website deployment process is something like
On Wed, 14 Dec 2016, Samuel Williams wrote:
Reindl, I understand where you are coming from, but I'm not sure I
understand what the alternative you are proposing is, are you
suggesting I use su?
Putting aside the issue of having users link their own units into the
system configuration -- as
Am 13.12.2016 um 22:48 schrieb Samuel Williams:
Reindl, I understand where you are coming from, but I'm not sure I
understand what the alternative you are proposing is, are you
suggesting I use su?
su -c "whatever" - user
at least preserves the environement
i still don't get what your
Reindl, I understand where you are coming from, but I'm not sure I
understand what the alternative you are proposing is, are you
suggesting I use su?
On 14 December 2016 at 10:45, Reindl Harald wrote:
>
>
> Am 13.12.2016 um 22:40 schrieb Samuel Williams:
>>
>> Reindl,
Reindl, thanks for your ideas.
So, I log in as me "bob", but I want to run a task as http, e.g. sudo
-u http git checkout -f
What do you propose as the alternative?
On 14 December 2016 at 09:49, Reindl Harald wrote:
>
>
> Am 13.12.2016 um 21:41 schrieb Samuel Williams:
Am 13.12.2016 um 21:41 schrieb Samuel Williams:
I wanted to use systemd --user but had trouble getting it to run via
sudo- seemed like the environment wasn't getting set up correctly. Any
ideas?
get rid of sudo and re-consider everything where you are using sudo/su
I wanted to use systemd --user but had trouble getting it to run via sudo-
seemed like the environment wasn't getting set up correctly. Any ideas?
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
On Wed, Dec 14, 2016 at 01:23:14AM +1300, Samuel Williams wrote:
> I'd like my http user to be able to install unit files and start/stop them.
>
> Starting and stopping them is fairly easy with a sudo rule..
>
> But adding them is a bit trickier. I could also use sudo but it seems
> fairly
I will explore using link further. However, in some cases the
behaviour is hard to leverage.
I'm using foreman to generate systemd files. If I remove an existing
target, it will be hard to replicate this.. unless I trash everything
before re-linking everything. It's not a very elegant solution.
On Tue, Dec 13, 2016 at 3:52 PM, Samuel Williams
wrote:
> Hmm, so my local units directory contains business_development.target
> which contains
>
> Wants=business_development-resque-worker-high-priority.target
> business_development-resque-worker.target
>
> But
Before I got to bed. It seems like it would make the most sense for me
to be able to namespace unit files. e.g. make a directory such as
/etc/systemd/system/http and give that directory suitable permissions.
Then, it's simpler to blow away all targets/services in that directory
if I need to
Hmm, so my local units directory contains business_development.target
which contains
Wants=business_development-resque-worker-high-priority.target
business_development-resque-worker.target
But when using systemctl link, neither of these get installed
correctly (and no warning is given when
Thanks Andrei, this is something I will explore. Will this work well
if I have targets which have multiple dependencies? i.e. can I just
link the top level target?
On 14 December 2016 at 01:36, Andrei Borzenkov wrote:
> On Tue, Dec 13, 2016 at 3:23 PM, Samuel Williams
>
On Tue, Dec 13, 2016 at 3:23 PM, Samuel Williams
wrote:
> I'd like my http user to be able to install unit files and start/stop them.
>
> Starting and stopping them is fairly easy with a sudo rule..
>
> But adding them is a bit trickier. I could also use sudo but
22 matches
Mail list logo