Mantas Mikulėnas wrote on 02/10/2019 16:37: > On Wed, Oct 2, 2019 at 5:58 PM Ian Pilcher <arequipeno@xxxxxxxxx > <mailto:arequipeno@xxxxxxxxx>> wrote: > > On 9/26/19 11:49 AM, Mantas Mikulėnas wrote: > > In JS-based polkit rules, the action usually comes with 'unit' and > > 'verb' polkit variables -- according to src/core/dbus-unit.c: > > > > if (action.id <http://action.id> <http://action.id> == > > "org.freedesktop.systemd1.manage-unit" && action.lookup("unit") == > > "foo.service") { return polkit.Result.YES; } > > > > In older polkit versions which use .pkla rules, variables are not > > available at all. > > They don't seem to be available on CentOS 7, which has systemd 219, > either (even though it does use JavaScript rules). :( > > > Ah yes, according to NEWS it's a v226 change. Yeah, in CentOS 7 I had to do something like this: /etc/polkit-1/rules.d/foo.rules: polkit.addRule(function(action, subject) { if (action.id.indexOf("org.freedesktop.policykit.exec") != 0 || subject.user != 'my-permitted-user') return polkit.Result.NOT_HANDLED; var cmd = action.lookup('command_line').split(' '); if (cmd.length == 4 && cmd[0] == '/usr/bin/systemctl' && cmd[1] == 'start' && cmd[2] == '--no-block' && cmd[3].indexOf('my-template-unit@') == 0) { var job = cmd[3].substr(16).split('.')[0]; var valid = /^tl[A-Z][a-zA-Z0-9_]*$/; if (job.match(valid)) return polkit.Result.YES; } return polkit.Result.NOT_HANDLED; }); Then run I could run: pkexec /usr/bin/systemctl start --no-block my-template-unit@whatever as "my-permitted-user" without any prompt. It's a nasty work around, but for me it was all wrapped up in a script rather than manually run, so it didn't matter too much really. You can adjust that to suit make it more tolerant to other arguments etc, but it's definitely no where near as nice or elegant as the proper approach (esp with the pkexec prefix!) Col -- Colin Guthrie gmane(at)colin.guthr.ie http://colin.guthr.ie/ Day Job: Tribalogic Limited http://www.tribalogic.net/ Open Source: Mageia Contributor http://www.mageia.org/ PulseAudio Hacker http://www.pulseaudio.org/ Trac Hacker http://trac.edgewall.org/ _______________________________________________ systemd-devel mailing list systemd-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/systemd-devel