Systemd User – How to Start Systemd as Unprivileged User in a Group

systemd

I'd like users in group foogroup to be able to:

  • systemctl start foo.service,
  • systemctl stop foo.service,
  • systemctl status foo.service, and
  • journalctl -u foo.service

without using elevated privileges. Is that possible?

I have a systemd service which looks like: 

[Unit]
Description=foo service

[Service]
Type=simple
ExecStart=/bin/sleep infinity
User=foobot
Group=foogroup

Where foobot is a system user.

I know we can install the unit file to ~/.config/systemd/user/ to allow an unprivileged user to use systemd, but this doesn't really help a group.

Note: I plan on using cockpit so adding systemctl to /etc/sudoers isn't going to help.

Best Answer

In /etc/polkit-1/rules.d/10-myservice.rules

polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.systemd1.manage-units" && subject.isInGroup("somegroup")) {
        if (action.lookup("unit") == "foo.service") {
            var verb = action.lookup("verb");
            if (verb == "start" || verb == "stop" || verb == "restart") {
                return polkit.Result.YES;
            }
        }
    }
});
Related Topic