2

I am building a server on which my students will be able to upload their projects, which are Python+Flask web-applications. When I add a new user, I add a new service in /etc/systemd/system/[username].service, that automatically runs the user app.

I would like to allow each user to start, stop and restart his/her own service, but not the services of others. So Alice would be able to do e.g. service Alice restart and Bob will be able to do service Bob restart, but not vice-versa.

is this possible?

Erel Segal-Halevi
  • 2,251
  • 1
    Can you set up a user service instead? Those are inherently per-user, so the users wouldn't need additional permissions to control them. – muru Aug 31 '23 at 11:29
  • @muru but a user service stops when the user disconnects. I want the web-apps to remain active even after the users leave. – Erel Segal-Halevi Aug 31 '23 at 11:43
  • 1
    Not if you enable lingering: sudo loginctl enable-linger <username> – muru Aug 31 '23 at 11:45
  • @muru I read that linger consumes a lot of resources, since it keeps the entire user session active after the user disconnects. All I need is a way for a user to run a specific privileged command, without access to other privileged commands. – Erel Segal-Halevi Aug 31 '23 at 12:10
  • The entire user session that's kept alive is essentially just those user services which are enabled for those user. If this is on a server, which I guess it is, then it's just this service which you're making, because the other usual user services are desktop ones like pulseaudio. – muru Aug 31 '23 at 12:17

2 Answers2

2

This could be done with a workaround like this:

  1. Create a Bash script (executable) under /usr/local/bin for each user (called <user>.sh for example's sake).

  2. The script for each user just runs the command to restart that user's service, e.g.: systemctl restart <user>
    (If you're creative, you could add different functionality to this script to both start, stop and restart said service.)

  3. Add to the sudoers file the ability for each user to run only their own script. This is done like this (under the # User section):

    # User
<user> ALL=(ALL:ALL) NOPASSWD: /usr/local/bin/<user>.sh

Now each user can run their own /usr/local/bin/<user>.sh without typing a password, and this will restart their service (or do whatever you allow the script to do).

Artur Meinild
  • 26,018
  • 1
    There's no reason for having the NOPASSWD, it shouldn't be a problem for the students to have to enter their password for a sudo command. – muru Aug 31 '23 at 13:24
  • You're right, that's completely optional. ^^ – Artur Meinild Aug 31 '23 at 16:32
  • Do I need to add a separate line for each user? Maybe there is a way to add a generic line that allows each "user" to run "/usr/local/bin/user.sh"? – Erel Segal-Halevi Sep 01 '23 at 01:24
  • @ErelSegal-Halevi that depends on how you design your script - but as a basis yes. However, it should be possible to do a clever solution with only one script, but that would take some more work (since it then needs info about who ran the script). – Artur Meinild Sep 01 '23 at 05:47
0

Not possible currently to do on a per-unit basis, but will hopefully become possible soon when https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/154 is merged and available in a release

Luca Boccassi
  • 71