[systemd-devel] Run reboot as normal user

Mohamed Ali Fodha fodha.mohamed.ali at gmail.com
Tue Nov 30 10:35:46 UTC 2021 

Thank you for the answers, I am working on an embedded system and the
polkit is not installed (not enabled at all in yocto build).
I have a systemd service that run as a normal user and for some use case it
requires to do a reboot
I simulate it just for now as a dbus-send as shown below (just for debug -
dbus-send will be replaced by a binary which will do the reboot)
Previously the guest user was in sudoers (so to run reboot the systemd
service uses "sudo") but actually our customer wants to remove the guest
user from sudoers.
Adding capabilities doesn't give me required permissions






*[Service]User=guestExecStart=dbus-send --system --print-reply
--dest=org.freedesktop.systemd1 /org/freedesktop/systemd1
org.freedesktop.systemd1.Manager.StartUnit string:reboot.target
string:replace-irreversiblyAmbientCapabilities=CAP_SYS_BOOT
CAP_SYS_ADMINCapabilityBoundingSet=CAP_SYS_BOOT CAP_SYS_ADMIN*

*[Install]WantedBy=multi-user.target*

Thank,
Mohamed Ali

Le mar. 30 nov. 2021 à 10:37, Colin Guthrie <gmane at colin.guthr.ie> a écrit :

> Mantas Mikulėnas wrote on 30/11/2021 08:42:
> > On Tue, Nov 30, 2021 at 10:11 AM Mohamed Ali Fodha
> > <fodha.mohamed.ali at gmail.com <mailto:fodha.mohamed.ali at gmail.com>>
> wrote:
> >
> >     Hello,
> >
> >     I want to run reboot as normal user using the following command:
> >     dbus-send --system --print-reply --reply-timeout=2000
> >     --type=method_call --dest=org.freedesktop.login1
> >     /org/freedesktop/login1 org.freedesktop.login1.Manager.Reboot
> >     boolean:false
> >
> >     but I got a Permission denied error.
> >
> >     I checked that verify_shutdown_creds (in logind-dbus.c) calls
> >     bus_verify_polkit_async, could it be the reason why I got permission
> >     denied error while polkit is not installed?
> >
> >
> > Yes. Polkit is the authorization system that decides whether to allow
> > normal users to do privileged actions or not.
> >
> >     I don't want to use Polkit or sudo, is there any solution ?
> >
> > No.
>
> When you say you don't want to use polkit, are you just saying you want
> to run dbus-send directly rather than prefixing it with pkexec or that
> you really don't want polkit installed at all?
>
> If you don't mind having polkit installed and configured (doesn't have
> to run all the time) then running dbus-send as above will just work as
> you want (no need to run it via a pkexec wrapper). That's literally the
> job of polkit - to allow certain privileged operations to users.
>
> If this isn't what you want you'll need to write your own suid wrapper
> binary that calls the commands for you.
>
> Col
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20211130/bbb72711/attachment.htm>

More information about the systemd-devel mailing list