我的根目录中有一个服务,我想授予用户组管理员权限来运行该服务。
该服务存在于/root/home/custom_service/service.service
我chgrp admin ./home/custom_service/
当时尝试过chmod g+rx ./home/custom_service/
当我检查权限时ls -l ./home/custom_service/
我得到-rw-r-xr-- 1 root admin 449 May 30 11:23 service.service
当我尝试从我的 testUsr 帐户(位于组管理员中)运行该服务时,结果如下:
我跑:
systemctl start service.service
结果:
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ===
Authentication is required to manage system services or units.
Authenticating as: scarycall
Password:
polkit-agent-helper-1: pam_authenticate failed: Permission denied
==== AUTHENTICATION FAILED ===
Failed to start service.service: Access denied
See system logs and 'systemctl status service.service' for details.
注意:我可以从 root 运行该服务。
更新:
这是我的 polkit 规则文件:
Array.prototype.includes = function(variable) {
for (var i = 0; i < this.length; i++) { if (this[i] === variable) { return true; } }
return false;
}
polkit.addRule(function(action, subject) {
var allowed = {
units: [
// Here you can add units that you want to allow admin users to manage.
"service.service"
],
actions: [
"org.freedesktop.systemd1.manage-units"
],
verbs: [
"start", "stop", "restart"
]
}
var unit_name = action.lookup("unit");
polkit.log("Action" + action);
polkit.log("Unit=" + unit_name);
polkit.log("Action ID=" + action.id);
polkit.log("Verb=" + action.lookup("verb"));
polkit.log("Subject=" + subject);
if (allowed.actions.includes(action.id) &&
allowed.units.includes(unit_name) &&
allowed.verbs.includes(action.lookup("verb")) &&
subject.isInGroup("admin")
) {
return polkit.Result.YES;
}
});
我运行的系统的 systemd 版本为 219,它不会通过操作传递单元或动词。该规则的日志如下所示:
/etc/polkit-1/rules.d/10-insight-service.rules:23: Action[Action id='org.freedesktop.systemd1.manage-units
/etc/polkit-1/rules.d/10-insight-service.rules:24: Unit=undefined
/etc/polkit-1/rules.d/10-insight-service.rules:25: Action ID=org.freedesktop.systemd1.manage-units
/etc/polkit-1/rules.d/10-insight-service.rules:26: Verb=undefined
/etc/polkit-1/rules.d/10-insight-service.rules:27: Subject=[Subject pid=13762 user='testUsr' groups=admin seat='' session='2072' local=false active=true]
直到 v226 才添加单位和动词详细信息,如下所示: https://github.com/systemd/systemd/commit/88ced61bf9673407f4b15bf51b1b408fd78c149d
解决: 因为我运行的系统运行旧版本的 systemd,所以它不支持操作的单位或动词详细信息。所以我决定使用 sudo 权限并且成功了。
在 sudoer 文件中我添加了:
%admin ALL= NOPASSWD: /bin/systemctl start service.service
%admin ALL= NOPASSWD: /bin/systemctl stop service.service
%admin ALL= NOPASSWD: /bin/systemctl restart service.service
%admin ALL= NOPASSWD: /bin/systemctl status service.service
答案1
您可以创建 Polkit 策略,允许admin
组中的用户启动、停止或重新启动特定系统单元。例如。
// Allow user in admin group to manage specific systemd units
Array.prototype.includes = function(variable) {
for (var i = 0; i < this.length; i++) { if (this[i] === variable) { return true; } }
return false;
}
polkit.addRule(function(action, subject) {
var allowed = {
units: [
// Here you can add units that you want to allow admin users to manage.
"backup.service",
"nginx.service",
"backup-rotate.service"
],
actions: [
"org.freedesktop.systemd1.manage-unit-files"
],
verbs: [
"start", "stop", "restart"
]
}
var unit_name = action.lookup("unit");
if (allowed.actions.includes(action.id) &&
allowed.units.includes(unit_name) &&
allowed.verbs.includes(action.lookup("verb")) &&
subject.isInGroup("admin")
) {
return polkit.Result.YES;
}
});
将策略文件另存为/etc/polkit-1/rules.d/60-units.rules
,新规则应立即生效。