[systemd-devel] grant users access to certain services only
Christian Seiler
christian at iwakd.de
Fri Aug 21 04:29:15 PDT 2015
On 21.08.2015 12:04, Jóhann B. Guðmundsson wrote:
> Should not the solution for this be tied to the user and group field
> mentioned in the unit so for example the postgresql type service unit
> contains...
> User=postgres
> Group=postgres
>
> Which would mean that the posgres user could start,stop,restart,reload
> the postgresql.service as well as any user that has been added to the
> postgres group?
For postgres it would probably solve this problem (as long as it's
configurable), the question is whether you'd maybe rather want something
a bit more generic for the future.
I would suggest a setting like
UnitControl=alice bob group:foobar
that would enable alice, bob and everybody in group foobar to control
that specific unit. (The name for the setting is debatable.)
That would be quite simple but still very flexible and generic. The only
problem I see is that for this to be useful, you'd need to be able to
resolve the names, and you don't want to do that in pid 1. Question is
whether PolicyKit (not pid 1) can do that check for systemd with systemd
just passing along the whitelist somehow. (Don't know too much about
PolicyKit yet to answer that question myself, unfortunately.) The same
problem also applies to the solution of tying it to User=/Group=, however.
Just my 2c.
Christian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20150821/d869c4c5/attachment.sig>
More information about the systemd-devel
mailing list