I created some systemd services which basically works:
location:
/etc/systemd/system/multi-user.target.wants/publicapi.service
content:
[Unit]
Description=public api startup script
[Service]
Type=oneshot
RemainAfterExit=yes
EnvironmentFile=-/etc/environment
WorkingDirectory=/home/techops
ExecStart=/home/techops/publicapi start
ExecStop=/home/techops/publicapi stop
[Install]
WantedBy=multi-user.target
When I try to restart the service as techops user in the command line, I get the following output:
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ===
Authentication is required to start 'publicapi.service'.
Multiple identities can be used for authentication:
1. Myself,,, (defaultuser)
2. ,,, (techops)
Choose identity to authenticate as (1-2):
I want that only techops can restart services and I want that this prompt does not appear when being logged in as techops. How can I do that?
I read that there are different approaches with polkit-1 or sudoers, but I'm unsure.
[UPDATE] 2019-01-27 4:40pm
Thanks for this comprehensive answer to Thomas and Perlduck. It helped me to improve my knowledge of systemd.
According to the approach to start the service without a password prompt, and I want to apologize that I did not emphasize the real problem enough:
Actually, what is most important for me is that no other user than techops should stop or start the service. But at least with the first two approaches I can still run service publicapi stop
and I get the prompt ==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ===
again. When I choose the defaultuser and know the password, I could stop all the services. I want to deny this user from doing that, even if he has the password. Important background info to better understand why this is the more important part for me:
The defaultuser is the only user which is exposed to ssh but this user cannot do anything else (except changing to other users if you have the password of these other users). But at the moment, he can start or stop the services, but this user must not to do this.
If someone gets the password of defaultuser and logs in via ssh, then he could stop all the services at the moment. This is what I meant with "I want that only techops can restart services". Sorry, that I was no that exact at my initial question. I thought that sudoing the techops user would maybe bypass this problem, but it does not. The problem itself is not to run the command without password prompt. (I could easily do that as techops user when I just execute /home/techops/publicapi start
). The problem itself is to lock out the defaultuser from starting these services.
And I hoped that any of the solutions could do that.
I started with the approaches of Thomas.
The approach with sudo works when I don't want to get asked for the password for the user techops when I execute the commands as explained, e.g.
sudo systemctl start publicapi.service
sudo systemctl stop publicapi.service
The second approach does not work for me yet. I cannot start the service without password prompt ==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ===
and I stall can login as defaultuser when I have the password of this user.
With the third approach, the service does not even start at boot process anymore so I'm not sure if this approach is the right one for me at all. I cannot even able it with systemctl enable publicapi.service
which leads me to the following error:
Failed to enable unit: Unit file mycuisine-publicapi.service does not exist.
The error does no occur when I move all the services back into /etc/systemd/system/ and execute systemctl enable publicapi.service
. Then the service starts again at boot.
All these approaches will more or less help to bypass the password prompt for the techops user but when I run service publicapi stop
or systemctl stop publicapi
with defaultuser, I can stop the services if I have the password. But my target is to lock out defaultuser from starting or stopping services at all.
Best Answer
To achieve that the user
techops
can control the servicepublicapi.service
without giving a password, you have different possiblities. Which one is suitable for you cannot be answered as you have to choose on your own.The classical
sudo
approach is maybe the most used, as it is there for a long time. You would have to create e.g. the file as follows.Note that the drop-in directory
/etc/sudoers.d
is only active when#includedir /etc/sudoers.d
is set in/etc/sudoers
. But that should be the case if you are using a modern Ubuntu distribution. Asroot
execute:Now you should be able to run the
systemctl
commands as usertechops
without giving a password by prependingsudo
to the commands.The second method would be to use PolKit (was renamed from PolicyKit) to allow the user
techops
to controlsystemd
services. Depending on the version ofpolit
, you can give normal users control over systemd units.To check the polkit version, just run
pkaction --version
.with polkit version 0.106 and higher, you can allow users to control specific systemd units.
To do so, you could create a rule as
root
:with polkit version 0.105 and lower: you can allow users to control systemd units. This unfortunately includes all systemd units and you might not want to do this. Not sure if there is a way to limit access to specific systemd units with version 0.105 or lower, but maybe someone else can clarify.
To enable this, you could create a file as
root
:In both cases you can run
systemctl [start|stop|restart] publicapi.service
as usertechops
without giving a password. In the latter case ( polkit <= 0.105 ) the usertechops
could control any systemd unit.A third option would be to make the service a user service, which does not need
sudo
orpolkit
configurations. This puts everything under the control of the user and only works if your actual service that is started with/home/techops/publicapi start
can run withoutroot
privileges.First you have to enable lingering for the user
techops
. This is needed to startup the user service on boot. Asroot
execute:Next you have to move the
systemd
unit file into thetechops
user directory. As usertechops
execute the commands as follows.Note that the
WantedBy
has to bedefault.target
as there is nomulti-user.target
in the user context.Now reload the configuration and enable the service. Again as user
techops
execute the commands.In general you should place your systemd units in
/etc/systemd/system/
not directly in/etc/systemd/system/multi-user.target.wants
. When you executesystemctl enable publicapi.service
a symbolic link will be created inetc/systemd/system/multi-user.target.wants
or whatever target is specified for that unit.As already mentioned, if the service/process itself can be run without root privileges you should consider adding
User=techops
to your unit file to run the process with a non-privileged user account.