[systemd-devel] Best way to limit per-user system-wide units
Michael Chapman
mike at very.puzzling.org
Tue Dec 13 22:21:22 UTC 2016
On Wed, 14 Dec 2016, Samuel Williams wrote:
> Reindl, I understand where you are coming from, but I'm not sure I
> understand what the alternative you are proposing is, are you
> suggesting I use su?
Putting aside the issue of having users link their own units into the
system configuration -- as pointed out else in this thread, that comes
with a *lot* of security issues -- you don't even need sudo or su to allow
users to control system units.
systemd uses polkit for authentication, and you can write polkit rules to
grant access to particular operations on particular units to particular
users or groups.
Unfortunately this feature isn't particularly well-documented at the
moment, but you can take a look at an example at the top of:
https://github.com/systemd/systemd/pull/1159
More details on these rule files are in the polkit(8) manpage, under
Authorization Rules.
- Michael
More information about the systemd-devel
mailing list