[systemd-devel] Restarting a service as user instead as root

Post by Cecil Westerhof
I have a service that is run as a different user as root. But only root
can restart the service. Is there a way to make 'systemctl restart' work
for the user that runs the service?

not for system services

just because a service binary drops privileges to a different user is no
indication that this user is allowed to control the service itself - for
security the opposite is true

Silvio Knizek

2018-08-13 09:51:46 UTC

Post by Cecil Westerhof
I have a service that is run as a different user as root. But only root can
restart the service. Is there a way to make 'systemctl restart' work for
the user that runs the service?

Hi,

you can either define a sudo-rule or you use policykit (polkit) for
this. See
https://wiki.archlinux.org/index.php/Polkit#Allow_management_of_individual_systemd_units_by_regular_users
for an example. Keep in mind that the polkit feature depends on your
available systemd version.

BR

Tomasz Torcz

2018-08-13 10:06:35 UTC

Post by Silvio Knizek

Post by Cecil Westerhof
I have a service that is run as a different user as root. But only root can
restart the service. Is there a way to make 'systemctl restart' work for
the user that runs the service?

Hi,
you can either define a sudo-rule or you use policykit (polkit) for
this. See
https://wiki.archlinux.org/index.php/Polkit#Allow_management_of_individual_systemd_units_by_regular_users
for an example. Keep in mind that the polkit feature depends on your
available systemd version.

Or, if the service has Restart= setting, user can kill the MainPID.

--
Tomasz Torcz "Funeral in the morning, IDE hacking
xmpp: ***@chrome.pl in the afternoon and evening." - Alan Cox

Michael Chapman

2018-08-13 09:51:00 UTC

Post by Cecil Westerhof
I have a service that is run as a different user as root. But only root can
restart the service. Is there a way to make 'systemctl restart' work for
the user that runs the service?

You could simply add some Sudo rules allowing the user to perform that
command.

Alternatively, you can write a polkit rule to describe the permissions.
For example, the following would give permission for a particular
user to restart a particular service:

polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.systemd1.manage-units" &&
action.lookup("unit") == "example.service" &&
action.lookup("verb") == "restart" &&
subject.user == "username") {
return polkit.Result.YES;
}
});

See the AUTHORIZATION RULES section of the polkit(8) manpage for further
details.

Cecil Westerhof

2018-08-13 10:44:48 UTC

Post by Cecil Westerhof
I have a service that is run as a different user as root. But only root

can

Post by Cecil Westerhof
restart the service. Is there a way to make 'systemctl restart' work for
the user that runs the service?

You could simply add some Sudo rules allowing the user to perform that
command.
Alternatively, you can write a polkit rule to describe the permissions.
For example, the following would give permission for a particular
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.systemd1.manage-units" &&
action.lookup("unit") == "example.service" &&
action.lookup("verb") == "restart" &&
subject.user == "username") {
return polkit.Result.YES;
}
});
See the AUTHORIZATION RULES section of the polkit(8) manpage for further
details.

I tried to put this in:
/etc/polkit-1/rules.d/10-auth.rules

When reading:
https://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html
AUTHORIZATION RULES

It should work immediately after writing the file, but it does not.
Is there something else I should do?

I am using Debian 9.

--
Cecil Westerhof

Michael Chapman

2018-08-13 10:52:58 UTC

Post by Cecil Westerhof
I have a service that is run as a different user as root. But only root

can

Post by Cecil Westerhof
restart the service. Is there a way to make 'systemctl restart' work for
the user that runs the service?

You could simply add some Sudo rules allowing the user to perform that
command.
Alternatively, you can write a polkit rule to describe the permissions.
For example, the following would give permission for a particular
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.systemd1.manage-units" &&
action.lookup("unit") == "example.service" &&
action.lookup("verb") == "restart" &&
subject.user == "username") {
return polkit.Result.YES;
}
});
See the AUTHORIZATION RULES section of the polkit(8) manpage for further
details.

/etc/polkit-1/rules.d/10-auth.rules
https://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html
AUTHORIZATION RULES
It should work immediately after writing the file, but it does not.
Is there something else I should do?
I am using Debian 9.

It should work immediately. polkitd will log that it is reloading the
rules. I suggest you check the log... maybe there's some syntax error or
other problem with your rule file.

Cecil Westerhof

2018-08-13 10:58:44 UTC

Post by Cecil Westerhof
I have a service that is run as a different user as root. But only

root

Post by Michael Chapman
can

Post by Cecil Westerhof
restart the service. Is there a way to make 'systemctl restart' work

for

Post by Cecil Westerhof
the user that runs the service?

You could simply add some Sudo rules allowing the user to perform that
command.
Alternatively, you can write a polkit rule to describe the permissions.
For example, the following would give permission for a particular
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.systemd1.manage-units" &&
action.lookup("unit") == "example.service" &&
action.lookup("verb") == "restart" &&
subject.user == "username") {
return polkit.Result.YES;
}
});
See the AUTHORIZATION RULES section of the polkit(8) manpage for

further

Post by Michael Chapman
details.

/etc/polkit-1/rules.d/10-auth.rules
https://www.freedesktop.org/software/polkit/docs/latest/

polkit.8.html

Post by Cecil Westerhof
AUTHORIZATION RULES
It should work immediately after writing the file, but it does not.
Is there something else I should do?
I am using Debian 9.

It should work immediately. polkitd will log that it is reloading the
rules. I suggest you check the log... maybe there's some syntax error or
other problem with your rule file.

I already checked the log, but when changing the file, nothing is logged. I
remember that some things have a different location in Debian. So probably
I should ask this on a Debian group.

--
Cecil Westerhof

Simon McVittie

2018-08-13 12:23:15 UTC

/etc/polkit-1/rules.d/10-auth.rules

...

I am using Debian 9.

Debian uses an old version of polkit (with most of the changes from
newer versions backported) due to maintainability concerns about the
use of Javascript as the policy language in newer versions. Simpler
rules can be expressed in the old "local authority" policy language
(see the man pages installed with polkit on your Debian system) but
finer-grained rules using lookup() cannot be translated for Debian's
older polkit version.

smcv

Cecil Westerhof

2018-08-13 10:11:46 UTC