> Putting aside the issue of having users link their own units into the system > configuration -- as pointed out else in this thread, that comes with a *lot* > of security issues -- you don't even need sudo or su to allow users to > control system units.
You are absolutely correct. The users have control to the software that's being run on the system in any case, if they are malicious it's game over. Nothing can prevent that. On production, the only user is `ci` anyway. It could be that we run the foreman export task as this user which has password-less sudo. It's not feasible to manage 20 independent passwords for 20 deployments. SSH keys are the best option in my experience, but welcome any suggestions here. What I'm more interested in doing is *protecting the http user so that if someone, somehow, does manage to crack the web application, they can't get root*. Right now, that is possible by allowing sudo systemctl link or equivalent which is why I'm here discussing the issue. We'd ideally like to keep http, http everywhere (i.e. no obvious/deliberate ability for privilege escalation). The nice thing about sudo is that it is a general framework that is well tested, well documented, and works everywhere... polkit, less so. Even with the best of intentions, looking at how well people have managed to script security features (e.g. look at the whole ethereum contract fiasco), stuff in that PR makes me a bit worried. What's the chance someone screws up a security rule? JavaScript is only a small step up from PHP in terms of semantic rigour, so I'd be concerned about that too. As I said, ideally we'd be able to enforce this logic directly within /etc/systemd/system/$user, but if that's not possible, `systemd --user` is a close 2nd given what I've seen. We just need to figure out how to make it work in a sudo environment (could necessitate a change to /etc/sudoers which would be fine). Thanks for your input. _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
