[systemd-devel] Best way to limit per-user system-wide units

[Samuel Williams]

> Putting aside the issue of having users link their own units into the system configuration -- as pointed out else in this thread, that comes with a *lot* of security issues -- you don't even need sudo or su to allow users to control system units.

You are absolutely correct. The users have control to the software
that's being run on the system in any case, if they are malicious it's
game over. Nothing can prevent that. On production, the only user is
`ci` anyway. It could be that we run the foreman export task as this
user which has password-less sudo. It's not feasible to manage 20
independent passwords for 20 deployments. SSH keys are the best option
in my experience, but welcome any suggestions here.

What I'm more interested in doing is *protecting the http user so that
if someone, somehow, does manage to crack the web application, they
can't get root*.

Right now, that is possible by allowing sudo systemctl link or
equivalent which is why I'm here discussing the issue. We'd ideally
like to keep http, http everywhere (i.e. no obvious/deliberate ability
for privilege escalation).

The nice thing about sudo is that it is a general framework that is
well tested, well documented, and works everywhere... polkit, less so.
Even with the best of intentions, looking at how well people have
managed to script security features (e.g. look at the whole ethereum
contract fiasco), stuff in that PR makes me a bit worried. What's the
chance someone screws up a security rule? JavaScript is only a small
step up from PHP in terms of semantic rigour, so I'd be concerned
about that too.

As I said, ideally we'd be able to enforce this logic directly within
/etc/systemd/system/$user, but if that's not possible, `systemd
--user` is a close 2nd given what I've seen. We just need to figure
out how to make it work in a sudo environment (could necessitate a
change to /etc/sudoers which would be fine).

Thanks for your input.