Join Log in
Score:1
avatar Ubuntu

How to allow a user to start/stop a specific system service?

mx flag
Erel Segal-Halevi

I am building a server on which my students will be able to upload their projects, which are Python+Flask web-applications. When I add a new user, I add a new service in /etc/systemd/system/[username].service, that automatically runs the user app.

I would like to allow each user to start, stop and restart his/her own service, but not the services of others. So Alice would be able to do e.g. service Alice restart and Bob will be able to do service Bob restart, but not vice-versa.

is this possible?

48
2 + 5
muru avatar
us flag
muru
Can you set up a user service instead? Those are inherently per-user, so the users wouldn't need additional permissions to control them.
1
Reply
mx flag
Erel Segal-Halevi
@muru but a user service stops when the user disconnects. I want the web-apps to remain active even after the users leave.
0
Reply
muru avatar
us flag
muru
Not if you enable lingering: `sudo loginctl enable-linger <username>`
1
Reply
mx flag
Erel Segal-Halevi
@muru I read that linger consumes a lot of resources, since it keeps the entire user session active after the user disconnects. All I need is a way for a user to run a specific privileged command, without access to other privileged commands.
0
Reply
muru avatar
us flag
muru
The entire user session that's kept alive is essentially just those user services which are enabled for those user. If this is on a server, which I guess it is, then it's just this service which you're making, because the other usual user services are desktop ones like pulseaudio.
0
Reply
Score:1
Artur Meinild avatar Ubuntu
vn flag
Artur Meinild

This could be done with a workaround like this:

  1. Create a Bash script (executable) under /usr/local/bin for each user (called <user>.sh for example's sake).

  2. The script for each user just runs the command to restart that user's service, e.g.: systemctl restart <user>
    (If you're creative, you could add different functionality to this script to both start, stop and restart said service.)

  3. Add to the sudoers file the ability for each user to run only their own script. This is done like this (under the # User section):

    # User
<user> ALL=(ALL:ALL) NOPASSWD: /usr/local/bin/<user>.sh

Now each user can run their own /usr/local/bin/<user>.sh without typing a password, and this will restart their service (or do whatever you allow the script to do).

+ 4
muru avatar
us flag
muru
There's no reason for having the NOPASSWD, it shouldn't be a problem for the students to have to enter their password for a sudo command.
0
Reply
Artur Meinild avatar
vn flag
Artur Meinild
You're right, that's completely optional. ^^
0
Reply
mx flag
Erel Segal-Halevi
Do I need to add a separate line for each user? Maybe there is a way to add a generic line that allows each "user" to run "/usr/local/bin/user.sh"?
0
Reply
Artur Meinild avatar
vn flag
Artur Meinild
@ErelSegal-Halevi that depends on how you design your script - but as a basis yes. However, it should be possible to do a clever solution with only one script, but that would take some more work (since it then needs info about who ran the script).
0
Reply
Score:0
Luca Boccassi avatar Ubuntu
cn flag
Luca Boccassi

Not possible currently to do on a per-unit basis, but will hopefully become possible soon when https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/154 is merged and available in a release

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.