Videos
As pointed out by Simão, the unit information is not supplied to polkit by systemd on RHEL 7. One way around the problem is to use pkexec to wrap the call to systemctl. You would need a wrapper script for your specific service, then have the rules apply to pkexec. The users would execute the command
pkexec /path/to/script
and the polkit rule would look something like this:
polkit.addRule(
function(action,subject)
{
if ( (action.id == "org.freedesktop.policykit.exec") &&
(action.lookup("user") == "root") &&
(action.lookup("program") == "/path/to/script") &&
(subject.isInGroup("someGroup") ) )
return polkit.Result.YES;
return polkit.Result.NOT_HANDLED;
}
);
In a practical sense, this just re-creates sudo and scripts using the polkit framework. Whether this is "better" than using sudo is a value judgement I'll leave to others.
On CentOS7, action does not have access to the unit information. This was introduced on a later systemd version, v226.
https://github.com/systemd/systemd/commit/88ced61bf9673407f4b15bf51b1b408fd78c149d
I was also hit by this. You will need to allow the user to manage all units or go back to the stone age of having shell scripts on sudoers.
Also, I would like to limit non-root users to control this service who are in a specific group e.g. blah. How do I incorporate this into my rule?
Use subject.isInGroup("group").
See:
- https://wiki.archlinux.org/index.php/Polkit#Authorization_rules
- https://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html