[systemd-devel] Best way to limit per-user system-wide units
Tomasz Torcz
tomek at pipebreaker.pl
Tue Dec 13 15:08:19 UTC 2016
On Wed, Dec 14, 2016 at 01:23:14AM +1300, Samuel Williams wrote:
> I'd like my http user to be able to install unit files and start/stop them.
>
> Starting and stopping them is fairly easy with a sudo rule..
>
> But adding them is a bit trickier. I could also use sudo but it seems
> fairly specific.
>
> Is there some way to add a new directory, e.g.
> /etc/systemd/system/http which has permissions specific for http user?
>
> I can install targets/services/etc into that directory and then use
> sudo systemctl start/stop
Keep in mind that allowing user to define services is basically giving
him root permissions (user can create unit with ExecStart=/usr/bin/rm -rf /)*.
So there's no point in separating directories.
You can make this safer by using user instance units. You get canonical
path with this solution: ~/.config/systemd/user/
* I know about --no-preserve-root
--
Tomasz Torcz "Never underestimate the bandwidth of a station
xmpp: zdzichubg at chrome.pl wagon filled with backup tapes." -- Jim Gray
More information about the systemd-devel
mailing list