[systemd-devel] User service with suid executable
Martin Novák
mtnvk at seznam.cz
Fri Jan 8 04:49:09 PST 2016
On 01/08/2016 11:27 AM, Simon McVittie wrote:
> On 07/01/16 23:14, Martin Novák wrote:
>> I've created this (toy) user service for running desktop of differnt
>> user
>
> I don't think a user service is an appropriate tool for this job. If you
> have sudo privileges, you can use a system service, or perhaps even a
> user service that runs as the other user.
Well, I have sudo privileges for the other user, not for root. Besides,
the service executable could have been setuid for different user and not
root. I think both are valid use cases. Imagine 2 developers working on
a multiseat system wanting to share their programs for accessing some
webservice without revealing their credentials. The other developer may
want to use it from a systemd timer unit. Distasteful as it may be, it's
the straightforward way to do the job and it's secure if used correctly.
I also remember one code base, where the (commercial) service was
composed of several scripts running from cron of dedicated user. Some of
these scripts were (Perl) suid root (for network related things) and
they were exec()-ed by scripts initially running as dedicated user,
which did authenticated with PostgreSQL via OS user credentials.
Anyway, I was only interested if there's currently some cleaner way,
perhaps built-in to systemd, because I've noticed that systemd already
supports tty input via StandardInput option. If there isn't I'll try to
come up with a patch.
Thank you.
More information about the systemd-devel
mailing list