Is it safe to allow any user to see the status of all services?

Question

I would like to allow every linux user to see the status of all systemd services.

I created these lines for the /etc/sudoers file:

ALL     ALL = NOPASSWD: /usr/bin/systemctl is-active *
ALL     ALL = NOPASSWD: /usr/bin/systemctl is-enabled *
ALL     ALL = NOPASSWD: /usr/bin/systemctl status *

Are there any security risks which I might not see at the moment?

The fact that every linux use can see the status of all services is not a security risk in my case.

Why sudo in the first place? systemctl can be run by any user, no root necessary. root access is only necessary for start/stop. — Gerald Schneider, May 30 '18 at 09:30
@GeraldSchneider thank you very much for this hint. If you write your comment as answer, then I will upvote and accept it. — guettli, May 30 '18 at 14:14

score 3 · Answer 1 · answered May 30 '18 at 10:04

3

You're doing this wrong. You should set the policies using polkit, as systemctl binary itself asks the system if user is allowed to perform an operation. E.g.

/etc/polkit-1/rules.d/50-default.rules:

polkit.addAdminRule(function(action, subject) {
    return ["unix-group:wheel"]; });

means that any user from the wheel group can do anything (including service stop/start). There are more extensive examples, questions and the code itself.

answered May 30 '18 at 10:04

Tomasz Pala

398
1
6

I am doing this wrong? – guettli May 30 '18 at 10:20
1

Yes, don't use sudo (atomic bomb) for something that is handled natively. – Tomasz Pala May 30 '18 at 10:21

score 1 · Answer 2 · answered May 30 '18 at 09:12

1

it's safe, as long as you are running a recent version of sudo, env_reset is enabled and the usual caveats

answered May 30 '18 at 09:12

Luca Gibelli

2,611
1
21
29

Is it safe to allow any user to see the status of all services?

2 Answers2