Re: org.freedesktop.systemd1.manage-units - which unit?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Mantas Mikulėnas wrote on 02/10/2019 16:37:
> On Wed, Oct 2, 2019 at 5:58 PM Ian Pilcher <arequipeno@xxxxxxxxx
> <mailto:arequipeno@xxxxxxxxx>> wrote:
> 
>     On 9/26/19 11:49 AM, Mantas Mikulėnas wrote:
>     > In JS-based polkit rules, the action usually comes with 'unit' and
>     > 'verb' polkit variables -- according to src/core/dbus-unit.c:
>     >
>     >      if (action.id <http://action.id> <http://action.id> ==
>     > "org.freedesktop.systemd1.manage-unit" && action.lookup("unit") ==
>     > "foo.service") { return polkit.Result.YES; }
>     >
>     > In older polkit versions which use .pkla rules, variables are not
>     > available at all.
> 
>     They don't seem to be available on CentOS 7, which has systemd 219,
>     either (even though it does use JavaScript rules).  :(
> 
> 
> Ah yes, according to NEWS it's a v226 change.

Yeah, in CentOS 7 I had to do something like this:

/etc/polkit-1/rules.d/foo.rules:


polkit.addRule(function(action, subject) {
  if (action.id.indexOf("org.freedesktop.policykit.exec") != 0 ||
subject.user != 'my-permitted-user')
    return polkit.Result.NOT_HANDLED;

  var cmd =  action.lookup('command_line').split(' ');
  if (cmd.length == 4 && cmd[0] == '/usr/bin/systemctl' && cmd[1] ==
'start' && cmd[2] == '--no-block' && cmd[3].indexOf('my-template-unit@')
== 0) {
    var job = cmd[3].substr(16).split('.')[0];
    var valid = /^tl[A-Z][a-zA-Z0-9_]*$/;
    if (job.match(valid))
      return polkit.Result.YES;
  }

  return polkit.Result.NOT_HANDLED;
});


Then run I could run:

 pkexec /usr/bin/systemctl start --no-block my-template-unit@whatever

as "my-permitted-user" without any prompt.

It's a nasty work around, but for me it was all wrapped up in a script
rather than manually run, so it didn't matter too much really.

You can adjust that to suit make it more tolerant to other arguments
etc, but it's definitely no where near as nice or elegant as the proper
approach (esp with the pkexec prefix!)

Col




-- 

Colin Guthrie
gmane(at)colin.guthr.ie
http://colin.guthr.ie/

Day Job:
  Tribalogic Limited http://www.tribalogic.net/
Open Source:
  Mageia Contributor http://www.mageia.org/
  PulseAudio Hacker http://www.pulseaudio.org/
  Trac Hacker http://trac.edgewall.org/
_______________________________________________
systemd-devel mailing list
systemd-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/systemd-devel




[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux