systemd start as unprivileged user in a group
I was looking for a solution to the same and couldn't find one that really satisfies me. A satisfying solution would be to have group support in systemd. But I found this workaround. Let's assume the users you want to grant access to are ann, ben, and chris. They are all shall be in a group awesomeproject.
- Create a new user
awesomeprojectand add the users to the group ofawesomeproject.
sudo adduser awesomeproject
sudo usermod -a -G awesomeproject ann
sudo usermod -a -G awesomeproject ben
sudo usermod -a -G awesomeproject chris
- Add all users of the group to the sudoers for
systemctlof that new user.
sudo visudo
The entries have to look like this:
ann ALL=(awesomeproject) NOPASSWD: /bin/systemctl
ben ALL=(awesomeproject) NOPASSWD: /bin/systemctl
chris ALL=(awesomeproject) NOPASSWD: /bin/systemctl
Instead of putting them in /etc/sudoers, depending on the distribution, it may be better to put them in /etc/sudoers.d/awesomeproject instead using sudo visudo -f /etc/sudoers.d/awesomeproject.
Manage permissions on files and directories accordingly so that members of the group
awesomeprojecthave access to the corresponding files and directories in~awesomeproject.The following command should now work for
ann,ben, andchris:
sudo awesomeproject systemctl ...
This was the solution I eventually came up with. I created:
/etc/polkit-1/localauthority/50-local.d/service-auth.pkla
---
[Allow foogroup to start/stop/restart services]
Identity=unix-group:foogroup
Action=org.freedesktop.systemd1.manage-units
ResultActive=yes
Note that this specifically works for polkit <106 as used in Debian/Ubuntu. Other distributions use a newer version of polkit which would have done something like this:
/etc/polkit-1/rules.d/foogroup.rules
---
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.systemd1.manage-units" &&
subject.isInGroup("foogroup")) {
return polkit.Result.YES;
} });