[systemd-devel] grant users access to certain services only
Jóhann B. Guðmundsson
johannbg at gmail.com
Fri Aug 21 03:04:32 PDT 2015
On 08/20/2015 10:02 PM, Lennart Poettering wrote:
> On Thu, 20.08.15 23:41, Michael Biebl (mbiebl at gmail.com) wrote:
>
>> Hi,
>>
>> say I wanted to grant an unprivileged userA the ability to
>> systemctl start/stop/restart/reload foo.service
>> and only grant this for foo.service.
>>
>> Is there a way to achieve that without resorting to using hacks like
>> sudo or a suid binary? From a cursory look, the existing PolicyKit
>> rules are too coarse grained for this.
> Correct. This is currently not supported. That said, we could open
> this up, as PolicyKit allows parameterizing actions. I'd be happy to
> take a patch for this, and I figure it wouldn't even be a particularly
> complex patch... (in lieu of a patch, submit a github RFE...)
>
Should not the solution for this be tied to the user and group field
mentioned in the unit so for example the postgresql type service unit
contains...
User=postgres
Group=postgres
Which would mean that the posgres user could start,stop,restart,reload
the postgresql.service as well as any user that has been added to the
postgres group?
JBG
More information about the systemd-devel
mailing list