Re: [systemd-devel] User service with suid executable

2016-01-12 Thread Lennart Poettering 
On Fri, 08.01.16 13:49, Martin Novák (mt...@seznam.cz) wrote:

> On 01/08/2016 11:27 AM, Simon McVittie wrote:
> > On 07/01/16 23:14, Martin Novák wrote:
> >> I've created this (toy) user service for running desktop of differnt
> >> user
> >
> > I don't think a user service is an appropriate tool for this job. If you
> > have sudo privileges, you can use a system service, or perhaps even a
> > user service that runs as the other user.
> 
> Well, I have sudo privileges for the other user, not for root. Besides,
> the service executable could have been setuid for different user and not
> root. I think both are valid use cases. Imagine 2 developers working on
> a multiseat system wanting to share their programs for accessing some
> webservice without revealing their credentials. The other developer may
> want to use it from a systemd timer unit. Distasteful as it may be, it's
> the straightforward way to do the job and it's secure if used
> correctly.

You should be able to write a polkit policy that allows your user to
invoke the "start" operation on that specific unit. polkit receives
enough details from systemd so that you can express this, without
involving sudo or anything like that.

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] User service with suid executable

2016-01-08 Thread Martin Novák 
On 01/08/2016 11:27 AM, Simon McVittie wrote:
> On 07/01/16 23:14, Martin Novák wrote:
>> I've created this (toy) user service for running desktop of differnt
>> user
>
> I don't think a user service is an appropriate tool for this job. If you
> have sudo privileges, you can use a system service, or perhaps even a
> user service that runs as the other user.

Well, I have sudo privileges for the other user, not for root. Besides,
the service executable could have been setuid for different user and not
root. I think both are valid use cases. Imagine 2 developers working on
a multiseat system wanting to share their programs for accessing some
webservice without revealing their credentials. The other developer may
want to use it from a systemd timer unit. Distasteful as it may be, it's
the straightforward way to do the job and it's secure if used correctly.

I also remember one code base, where the (commercial) service was
composed of several scripts running from cron of dedicated user. Some of
these scripts were (Perl) suid root (for network related things) and
they were exec()-ed by scripts initially running as dedicated user,
which did authenticated with PostgreSQL via OS user credentials.

Anyway, I was only interested if there's currently some cleaner way,
perhaps built-in to systemd, because I've noticed that systemd already
supports tty input via StandardInput option. If there isn't I'll try to
come up with a patch.

Thank you.
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] User service with suid executable

2016-01-08 Thread Simon McVittie 
On 07/01/16 23:14, Martin Novák wrote:
> I've created this (toy) user service for running desktop of differnt
> user

I don't think a user service is an appropriate tool for this job. If you
have sudo privileges, you can use a system service, or perhaps even a
user service that runs as the other user.

-- 
Simon McVittie
Collabora Ltd. 

___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] User service with suid executable

2016-01-07 Thread Martin Novák 
Hello,

I've created this (toy) user service for running desktop of differnt
user:

  [Service]
  ExecStart=/bin/sudo -u testuser DISPLAY=:7 xfce4-session

The problem is that after starting this service, the following does not
work:

  $ systemctl --user stop testuser-desktop

because the UID (real and effective) of the sudo process is 0 and
systemd just gives up after several tries and treats the service as
dead:

  Dec 25 04:44:18 localhost systemd[1275]: testuser-desktop.service: Failed to 
kill main process 1925 (sudo): Operation not permitted
  Dec 25 04:44:18 localhost systemd[1275]: testuser-desktop.service: Failed to 
kill main process 1925 (sudo): Operation not permitted
  Dec 25 04:44:18 localhost systemd[1275]: testuser-desktop.service: Failed to 
kill main process 1925 (sudo): Operation not permitted
  Dec 25 04:44:18 localhost systemd[1275]: testuser-desktop.service: Failed to 
kill main process 1925 (sudo): Operation not permitted

I've learned the following hack which makes it work:

  [Service]
  ExecStart=/bin/bash -c '/bin/sudo -u testuser DISPLAY=:7 xfce4-session && :'

The ' && :' is needed there because without it bash would just exec the
argument and became root. Now, after systemd sends a signal (TERM? INT?)
to the bash process, the bash kills the sudo via tty layer magic.

Is there any cleaner way to have an user service running a suid
executable?

Thank you.
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel