Re: [systemd-devel] Restarting a service as user instead as root
On Mon, 13 Aug 2018 at 12:44:48 +0200, Cecil Westerhof wrote: > I tried to put this in: > /etc/polkit-1/rules.d/10-auth.rules ... > I am using Debian 9. Debian uses an old version of polkit (with most of the changes from newer versions backported) due to maintainability concerns about the use of Javascript as the policy language in newer versions. Simpler rules can be expressed in the old "local authority" policy language (see the man pages installed with polkit on your Debian system) but finer-grained rules using lookup() cannot be translated for Debian's older polkit version. smcv ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Restarting a service as user instead as root
2018-08-13 12:52 GMT+02:00 Michael Chapman : > On Mon, 13 Aug 2018, Cecil Westerhof wrote: > > 2018-08-13 11:51 GMT+02:00 Michael Chapman : > > > > > On Mon, 13 Aug 2018, Cecil Westerhof wrote: > > > > I have a service that is run as a different user as root. But only > root > > > can > > > > restart the service. Is there a way to make 'systemctl restart' work > for > > > > the user that runs the service? > > > > > > You could simply add some Sudo rules allowing the user to perform that > > > command. > > > > > > Alternatively, you can write a polkit rule to describe the permissions. > > > For example, the following would give permission for a particular > > > user to restart a particular service: > > > > > > polkit.addRule(function(action, subject) { > > > if (action.id == "org.freedesktop.systemd1.manage-units" && > > > action.lookup("unit") == "example.service" && > > > action.lookup("verb") == "restart" && > > > subject.user == "username") { > > > return polkit.Result.YES; > > > } > > > }); > > > > > > See the AUTHORIZATION RULES section of the polkit(8) manpage for > further > > > details. > > > > > > > I tried to put this in: > > /etc/polkit-1/rules.d/10-auth.rules > > > > When reading: > > https://www.freedesktop.org/software/polkit/docs/latest/ > polkit.8.html > > AUTHORIZATION RULES > > > > It should work immediately after writing the file, but it does not. > > Is there something else I should do? > > > > I am using Debian 9. > > It should work immediately. polkitd will log that it is reloading the > rules. I suggest you check the log... maybe there's some syntax error or > other problem with your rule file. > I already checked the log, but when changing the file, nothing is logged. I remember that some things have a different location in Debian. So probably I should ask this on a Debian group. -- Cecil Westerhof ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Restarting a service as user instead as root
On Mon, 13 Aug 2018, Cecil Westerhof wrote: > 2018-08-13 11:51 GMT+02:00 Michael Chapman : > > > On Mon, 13 Aug 2018, Cecil Westerhof wrote: > > > I have a service that is run as a different user as root. But only root > > can > > > restart the service. Is there a way to make 'systemctl restart' work for > > > the user that runs the service? > > > > You could simply add some Sudo rules allowing the user to perform that > > command. > > > > Alternatively, you can write a polkit rule to describe the permissions. > > For example, the following would give permission for a particular > > user to restart a particular service: > > > > polkit.addRule(function(action, subject) { > > if (action.id == "org.freedesktop.systemd1.manage-units" && > > action.lookup("unit") == "example.service" && > > action.lookup("verb") == "restart" && > > subject.user == "username") { > > return polkit.Result.YES; > > } > > }); > > > > See the AUTHORIZATION RULES section of the polkit(8) manpage for further > > details. > > > > I tried to put this in: > /etc/polkit-1/rules.d/10-auth.rules > > When reading: > https://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html > AUTHORIZATION RULES > > It should work immediately after writing the file, but it does not. > Is there something else I should do? > > I am using Debian 9. It should work immediately. polkitd will log that it is reloading the rules. I suggest you check the log... maybe there's some syntax error or other problem with your rule file. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Restarting a service as user instead as root
2018-08-13 11:51 GMT+02:00 Michael Chapman : > On Mon, 13 Aug 2018, Cecil Westerhof wrote: > > I have a service that is run as a different user as root. But only root > can > > restart the service. Is there a way to make 'systemctl restart' work for > > the user that runs the service? > > You could simply add some Sudo rules allowing the user to perform that > command. > > Alternatively, you can write a polkit rule to describe the permissions. > For example, the following would give permission for a particular > user to restart a particular service: > > polkit.addRule(function(action, subject) { > if (action.id == "org.freedesktop.systemd1.manage-units" && > action.lookup("unit") == "example.service" && > action.lookup("verb") == "restart" && > subject.user == "username") { > return polkit.Result.YES; > } > }); > > See the AUTHORIZATION RULES section of the polkit(8) manpage for further > details. > I tried to put this in: /etc/polkit-1/rules.d/10-auth.rules When reading: https://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html AUTHORIZATION RULES It should work immediately after writing the file, but it does not. Is there something else I should do? I am using Debian 9. -- Cecil Westerhof ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Restarting a service as user instead as root
On Mon, Aug 13, 2018 at 11:51:46AM +0200, Silvio Knizek wrote: > Am Montag, den 13.08.2018, 11:28 +0200 schrieb Cecil Westerhof: > > I have a service that is run as a different user as root. But only > > root can > > restart the service. Is there a way to make 'systemctl restart' work > > for > > the user that runs the service? > > Hi, > > you can either define a sudo-rule or you use policykit (polkit) for > this. See > https://wiki.archlinux.org/index.php/Polkit#Allow_management_of_individual_systemd_units_by_regular_users > for an example. Keep in mind that the polkit feature depends on your > available systemd version. Or, if the service has Restart= setting, user can kill the MainPID. -- Tomasz Torcz"Funeral in the morning, IDE hacking xmpp: zdzich...@chrome.plin the afternoon and evening." - Alan Cox ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Restarting a service as user instead as root
2018-08-13 11:28 GMT+02:00 Cecil Westerhof : > I have a service that is run as a different user as root. But only root > can restart the service. Is there a way to make 'systemctl restart' work > for the user that runs the service? > Thanks for the answers. At the moment it is not very important, but I like to be prepared when it 'suddenly' becomes important. I think I go for the sudo solution. Was thinking about that already, but was wondering if I overlooked something. -- Cecil Westerhof ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Restarting a service as user instead as root
On Mon, 13 Aug 2018, Cecil Westerhof wrote: > I have a service that is run as a different user as root. But only root can > restart the service. Is there a way to make 'systemctl restart' work for > the user that runs the service? You could simply add some Sudo rules allowing the user to perform that command. Alternatively, you can write a polkit rule to describe the permissions. For example, the following would give permission for a particular user to restart a particular service: polkit.addRule(function(action, subject) { if (action.id == "org.freedesktop.systemd1.manage-units" && action.lookup("unit") == "example.service" && action.lookup("verb") == "restart" && subject.user == "username") { return polkit.Result.YES; } }); See the AUTHORIZATION RULES section of the polkit(8) manpage for further details. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Restarting a service as user instead as root
Am Montag, den 13.08.2018, 11:28 +0200 schrieb Cecil Westerhof: > I have a service that is run as a different user as root. But only > root can > restart the service. Is there a way to make 'systemctl restart' work > for > the user that runs the service? Hi, you can either define a sudo-rule or you use policykit (polkit) for this. See https://wiki.archlinux.org/index.php/Polkit#Allow_management_of_individual_systemd_units_by_regular_users for an example. Keep in mind that the polkit feature depends on your available systemd version. BR ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Restarting a service as user instead as root
Am 13.08.2018 um 11:28 schrieb Cecil Westerhof: > I have a service that is run as a different user as root. But only root > can restart the service. Is there a way to make 'systemctl restart' work > for the user that runs the service? not for system services just because a service binary drops privileges to a different user is no indication that this user is allowed to control the service itself - for security the opposite is true ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] Restarting a service as user instead as root
I have a service that is run as a different user as root. But only root can restart the service. Is there a way to make 'systemctl restart' work for the user that runs the service? -- Cecil Westerhof ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel