[systemd-devel] Antw: [EXT] Re: [systemd‑devel] Run reboot as normal user
Ulrich Windl
Ulrich.Windl at rz.uni-regensburg.de
Wed Dec 1 09:24:31 UTC 2021
>>> Martin Wilck <mwilck at suse.com> schrieb am 01.12.2021 um 10:06 in Nachricht
<e1c746ffec5c7e95dc52c1b0ca420f15ae8a901f.camel at suse.com>:
> On Tue, 2021‑11‑30 at 14:11 +0100, Mohamed Ali Fodha wrote:
>> Thanks, but I think using setuid has a security risk for attackers,
>> so I understand there is no so much granularity to manage
>> unprivileged access to systemd in case the polkit is not used.
>
> You could use setcap to set CAP_SYS_ADMIN capabilities on the
> executable you start for rebooting. I don't see a big difference wrt
> using AmbientCapabilities in a systemd service, as long as you restrict
> the program to be executable only by a certain user or group. Polkit
> can't do much more, either. Its main purpose is to serve logged‑in
> users that want to do certain priviliged actions like mount a volume or
> install software, and trigger pop‑ups that ask for either user or admin
> passwords. IIUC it's overengineered for what you're trying to do,
> unless you want to ask for a password or some other extra
> authorization.
And I wonder what's wrong with allowing the shutdown command for the user in
sudoers.
(sudo $(which shutdown) -r now)
>
> OTOH, if you use CAP_SYS_ADMIN, you might as well use setuid. Same
> argument ‑ if you restrict the program properly, it comes down to
> exactly the same thing that polkit would do, just far simpler.
>
> Martin
More information about the systemd-devel
mailing list