I have a non root user that I need to have able to start/stop/restart a subset of services on my system without prompting for an authorization password. Ideally I would like this done via polkit but will opt for sudo if needed. Anyway, I have seen solutions here that include adding a file to localauthority and adding a .rules file to /etc/polkit-1/rules.d which specifies the service(s) to be ran. I should mention that this is on a CentOS7 system.
However, the localauthority solution was for all services, and the .rules file solution (taken from here: systemd: Grant an unprivileged user permission to alter one specific service) will still prompt for a password, as the "manage-units" action is set to "auth_admin" in /usr/share/polkit-1/actions/org.freedesktop.systemd1.policy.
Is there any way to have polkit allow a certain user to run certain services with no password? Without needing to give that user wide open privileges for the manage-units action? I basically want conditional manage-unit privileges.
Also something interesting I've noticed: If I run this function
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.systemd1.manage-units" && subject.user == "alice")
{
return polkit.Result.YES;
}
});
It works, albeit for all services. But if I attempt to drill down the services by changing it to this:
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.systemd1.manage-units" &&
action.lookup("unit") == "example.service" &&
subject.user == "alice") {
return polkit.Result.YES;
}
});
Suddenly it prompts for a password. Not sure why it wouldn't also prompt for a password on the first function, as it's still acting according to the manage-units action.
