subject:"Re\: \[systemd\-devel\] org.freedesktop.systemd1.manage\-units \- which unit\?"

Re: [systemd-devel] org.freedesktop.systemd1.manage-units - which unit?

2019-10-07 Thread Ian Pilcher


On 10/7/19 4:30 AM, Colin Guthrie wrote:

It's a nasty work around, but for me it was all wrapped up in a script
rather than manually run, so it didn't matter too much really.

You can adjust that to suit make it more tolerant to other arguments
etc, but it's definitely no where near as nice or elegant as the proper
approach (esp with the pkexec prefix!)


I'm trying to use the D-Bus API (from Python), so I don't think that
will work at all.

My current thinking is to start my service as root, grab a reference to
the system bus, and then change to my non-root user.

--

Ian Pilcher arequip...@gmail.com
 "I grew up before Mark Zuckerberg invented friendship" 

___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] org.freedesktop.systemd1.manage-units - which unit?

2019-10-07 Thread Colin Guthrie

Mantas Mikulėnas wrote on 02/10/2019 16:37:
> On Wed, Oct 2, 2019 at 5:58 PM Ian Pilcher  > wrote:
> 
> On 9/26/19 11:49 AM, Mantas Mikulėnas wrote:
> > In JS-based polkit rules, the action usually comes with 'unit' and
> > 'verb' polkit variables -- according to src/core/dbus-unit.c:
> >
> >      if (action.id   ==
> > "org.freedesktop.systemd1.manage-unit" && action.lookup("unit") ==
> > "foo.service") { return polkit.Result.YES; }
> >
> > In older polkit versions which use .pkla rules, variables are not
> > available at all.
> 
> They don't seem to be available on CentOS 7, which has systemd 219,
> either (even though it does use JavaScript rules).  :(
> 
> 
> Ah yes, according to NEWS it's a v226 change.

Yeah, in CentOS 7 I had to do something like this:

/etc/polkit-1/rules.d/foo.rules:


polkit.addRule(function(action, subject) {
  if (action.id.indexOf("org.freedesktop.policykit.exec") != 0 ||
subject.user != 'my-permitted-user')
return polkit.Result.NOT_HANDLED;

  var cmd =  action.lookup('command_line').split(' ');
  if (cmd.length == 4 && cmd[0] == '/usr/bin/systemctl' && cmd[1] ==
'start' && cmd[2] == '--no-block' && cmd[3].indexOf('my-template-unit@')
== 0) {
var job = cmd[3].substr(16).split('.')[0];
var valid = /^tl[A-Z][a-zA-Z0-9_]*$/;
if (job.match(valid))
  return polkit.Result.YES;
  }

  return polkit.Result.NOT_HANDLED;
});


Then run I could run:

 pkexec /usr/bin/systemctl start --no-block my-template-unit@whatever

as "my-permitted-user" without any prompt.

It's a nasty work around, but for me it was all wrapped up in a script
rather than manually run, so it didn't matter too much really.

You can adjust that to suit make it more tolerant to other arguments
etc, but it's definitely no where near as nice or elegant as the proper
approach (esp with the pkexec prefix!)

Col




-- 

Colin Guthrie
gmane(at)colin.guthr.ie
http://colin.guthr.ie/

Day Job:
  Tribalogic Limited http://www.tribalogic.net/
Open Source:
  Mageia Contributor http://www.mageia.org/
  PulseAudio Hacker http://www.pulseaudio.org/
  Trac Hacker http://trac.edgewall.org/
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] org.freedesktop.systemd1.manage-units - which unit?

2019-10-02 Thread Mantas Mikulėnas

On Wed, Oct 2, 2019 at 5:58 PM Ian Pilcher  wrote:

> On 9/26/19 11:49 AM, Mantas Mikulėnas wrote:
> > In JS-based polkit rules, the action usually comes with 'unit' and
> > 'verb' polkit variables -- according to src/core/dbus-unit.c:
> >
> >  if (action.id  ==
> > "org.freedesktop.systemd1.manage-unit" && action.lookup("unit") ==
> > "foo.service") { return polkit.Result.YES; }
> >
> > In older polkit versions which use .pkla rules, variables are not
> > available at all.
>
> They don't seem to be available on CentOS 7, which has systemd 219,
> either (even though it does use JavaScript rules).  :(
>

Ah yes, according to NEWS it's a v226 change.

-- 
Mantas Mikulėnas
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] org.freedesktop.systemd1.manage-units - which unit?

2019-10-02 Thread Ian Pilcher


On 9/26/19 11:49 AM, Mantas Mikulėnas wrote:
In JS-based polkit rules, the action usually comes with 'unit' and 
'verb' polkit variables -- according to src/core/dbus-unit.c:


     if (action.id  == 
"org.freedesktop.systemd1.manage-unit" && action.lookup("unit") == 
"foo.service") { return polkit.Result.YES; }


In older polkit versions which use .pkla rules, variables are not 
available at all.


They don't seem to be available on CentOS 7, which has systemd 219,
either (even though it does use JavaScript rules).  :(

--

Ian Pilcher arequip...@gmail.com
 "I grew up before Mark Zuckerberg invented friendship" 

___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] org.freedesktop.systemd1.manage-units - which unit?

2019-09-26 Thread Mantas Mikulėnas

In JS-based polkit rules, the action usually comes with 'unit' and 'verb'
polkit variables -- according to src/core/dbus-unit.c:

if (action.id == "org.freedesktop.systemd1.manage-unit" &&
action.lookup("unit") == "foo.service") { return polkit.Result.YES; }

In older polkit versions which use .pkla rules, variables are not available
at all.

On Thu, Sep 26, 2019 at 6:15 PM Ian Pilcher  wrote:

> I am writing a PolicyKit rule to allow a non-root user to restart a
> service (via D-bus).  It looks like this will be the
> org.freedesktop.systemd1.manage-units "action", but I can't see a way to
> determine *which* unit is being managed (or what the action is - start/
> stop/restart/reload).
>
> Are there any variables associated with this action that my rule can
> use?  If not, is there any way to give a particular user permission to
> perform only some actions on only some units?
>
> Thanks!
>
> --
> 
> Ian Pilcher arequip...@gmail.com
>  "I grew up before Mark Zuckerberg invented friendship" 
> 
>
> ___
> systemd-devel mailing list
> systemd-devel@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/systemd-devel



-- 
Mantas Mikulėnas
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] org.freedesktop.systemd1.manage-units - which unit?

Re: [systemd-devel] org.freedesktop.systemd1.manage-units - which unit?

Re: [systemd-devel] org.freedesktop.systemd1.manage-units - which unit?

Re: [systemd-devel] org.freedesktop.systemd1.manage-units - which unit?

Re: [systemd-devel] org.freedesktop.systemd1.manage-units - which unit?

5 matches

Site Navigation

Mail list logo

Footer information