[systemd-devel] sudo -u app_user systemctl --user
David Schmitt
david at dasz.at
Tue Mar 25 05:33:23 PDT 2014
On 25.03.2014 12:59, "Jóhann B. Guðmundsson" wrote:
>
> On 03/25/2014 08:42 AM, David Schmitt wrote:
>> If that is a better supported way of achieving my goal of giving a set
>> of users the power to manage their own services...
>
> Can you further explain why you want to do that?
>
> What's the use case here for embedded/server/desktop?
>
> What are you trying to achieve?
I've built a small shared hosting setup where I'm managing customer's
applications with private nginx and (php|mono|...)-fastcgi instances.
This allows the customers to flexibly configure application instances
using the power of systemd, while everything is still running under the
UID of the customer.
Currently all customer services are running under a --user instance,
which I've got to run by enabling the proper user at .service and using
enable-linger on the user.
Finally I wanted to delegate service restart privileges to other users
within a customer, but stumbled upon sudo's peculiar behaviour.
Currently I'm working around this with a sudo/su combination.
The more I think about it, the more I realize I might be happier with
some kind of ultra-thin containerization of customers. That would also
reduce information leakage between customers (running procs, etc). On
the other hand, the current solution with --user is pretty simple all
around, so adding a container layer might be too much complexity for the
gain.
> What behavior do you want?
The requirement I initially asked about, is this: given the proper
sudoers entry allow user alice to run
$ sudo -u bob systemctl --user reload nginx.service
and have it work. My analysis ended at the point that even when using
pam_systemd, sudo does not provide the proper XDG_SESSION* environment
variables to the executed command.
For a more general analysis of my situation, please see above.
Regards, David
Regards, David
More information about the systemd-devel
mailing list