6

I am building a server on which my students will be able to upload their projects, which are Python+Flask web-applications. When I add a new user, I add a new service in /etc/systemd/system/[username].service, that automatically runs the user app.

I would like to allow each user to start, stop and restart his/her own service, but not the services of others. So Alice would be able to do e.g. service Alice restart and Bob will be able to do service Bob restart, but not vice-versa.

is this possible?

Erel Segal-Halevi
  • 2,351

2 Answers2

3

This could be done with a workaround like this:

  1. Create a Bash script (executable) under /usr/local/bin for each user (called <user>.sh for example's sake).

  2. The script for each user just runs the command to restart that user's service, e.g.: systemctl restart <user>
    (If you're creative, you could add different functionality to this script to both start, stop and restart said service.)

  3. Add to the sudoers file the ability for each user to run only their own script. This is done like this (under the # User section):

    # User
<user> ALL=(ALL:ALL) NOPASSWD: /usr/local/bin/<user>.sh

Now each user can run their own /usr/local/bin/<user>.sh without typing a password, and this will restart their service (or do whatever you allow the script to do).

Artur Meinild
  • 31,035
0

Not possible currently to do on a per-unit basis, but will hopefully become possible soon when https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/154 is merged and available in a release

Luca Boccassi
  • 71