When you hate something so much you have to find weird corner cases to support your views. Even then the way described isn’t how someone who knows that they are doing would do.
The best way for an unprivileged user to manage a service is for that user to run it. That way you inherit the correct permissions / acls / selinux contexts.
What if multiple users have to manage that service?
Edit: nvrmnd, pretty sure the runnit solution won’t allow this either, your answer is correct. What about while the service is already running? Wouldn’t your solution require a restart?
If the service is already running it has to be stopped as a system service and run as a user service. In order to ensure that the service inherits all the correct permissions / acls / se linux policies the service needs to be launched from the limited permissions context.
With the systemd approach you’re not just passing a control handle around. You’re ensuring the process is running under an appropriate security context.
If you want to let multiple users manage the user systems service, I would probably go with sudo and systemd user files. You could create a group which has sudo access etc. The important idea is that an unprivileged user controls an unprivileged service.
What about this makes it “the systemd approach”? runit supports user services too. These are just two different tasks that are needed in different contexts. Sometimes what you need is to “pass a control handle around” to a privileged service. And sometimes you need to actually make a service unprivileged.
pretty sure the runnit solution won’t allow this either
I’m no expert, but I think you could make a special group, set the supervise directory to be owned by that group, and add all relevant users to that group? Either way, as I explained in a different reply, running the service as a user vs letting that user control a root service are completely different things, and one is not always a substitute for the other.
Lol. Lmao even. I needed to do this because I wanted to learn the miryoku keyboard layout , and I wanted a way to quickly switch between Miryoku and standard QWERTY. The best way to do this that I could come up with was to bind a special key on my keyboard to toggle kmonad on and off. So I wrote a service for kmonad and gave my user permission to manage it. Running kmonad as my user wouldn’t work, because kmonad needs root to create a virtual input device.
Luckily, I am running Void, so the solution was a single well-documented command. Out of curiosity I decided to take a look at what this would look like on systemd distros, leading to this meme. Honestly, I had to do a double take by the time the guy started talking about Javascript.
I feel kind of useless typing this out because you’re just gonna ignore it anyway. In my post, I am talking about needing to do X. Your response is “why are you doing X, you should do Y”. Why am I not surprised that you’re a systemd user? Do you also use Gnome by any chance?
Your response is “why are you doing X, you should do Y”
Because they’re right, you shouldn’t do X. I know that’s not a satisfying answer for most people to hear, but it’s often one people need to hear.
If the process must run as root, then giving a user direct and unauthenticated control over it is a security vulnerability. You’ve created a quick workaround for your issue, and to be clear it is unlikely to realistically cause you problems individually, but on a larger scale that becomes a massive issue. A better solution is required rather than recommend everybody create a hole in their security like yours in order to do this thing.
If this is something that unprivileged users reasonably want to control, then this control should be possible unprivileged, or at least with limited privilege, not by simply granting permanent total control of a root service.
This is ultimately an upstream issue more than anything else.
Wait, aren’t most desktop environment support switching keyboard layout these days? For example, gnome can do that with super+space or via the language switcher in the top bar. Using a user service to do this seems overkill.
Hey. There is no reason to feel useless. Everyone has value. And the best part about Linux is that we all can make our own choices. If people hate systemd they don’t have to use it. That’s ok. Void linux I think is actually a pretty cool distro. It reminds me of the BSDs for some reason.
I use systemd because I like how it works and I think it’s well designed. As for desktops I am a huge fan of sway. Gnome isn’t bad on a laptop or tablet though. What do you use?
When you hate something so much you have to find weird corner cases to support your views. Even then the way described isn’t how someone who knows that they are doing would do.
The best way for an unprivileged user to manage a service is for that user to run it. That way you inherit the correct permissions / acls / selinux contexts.
The command to do so is:
systemctl --user start the_service.service
What if multiple users have to manage that service?
Edit: nvrmnd, pretty sure the runnit solution won’t allow this either, your answer is correct. What about while the service is already running? Wouldn’t your solution require a restart?
If the service is already running it has to be stopped as a system service and run as a user service. In order to ensure that the service inherits all the correct permissions / acls / se linux policies the service needs to be launched from the limited permissions context.
With the systemd approach you’re not just passing a control handle around. You’re ensuring the process is running under an appropriate security context.
If you want to let multiple users manage the user systems service, I would probably go with sudo and systemd user files. You could create a group which has sudo access etc. The important idea is that an unprivileged user controls an unprivileged service.
What about this makes it “the systemd approach”? runit supports user services too. These are just two different tasks that are needed in different contexts. Sometimes what you need is to “pass a control handle around” to a privileged service. And sometimes you need to actually make a service unprivileged.
I’m no expert, but I think you could make a special group, set the
supervisedirectory to be owned by that group, and add all relevant users to that group? Either way, as I explained in a different reply, running the service as a user vs letting that user control a root service are completely different things, and one is not always a substitute for the other.A generic stack overflow answer:
Do you REALLY need multiple users to manage that service? Maybe it’s better to have multiple instances of that service and… (This goes on and on)
Lol. Lmao even. I needed to do this because I wanted to learn the miryoku keyboard layout , and I wanted a way to quickly switch between Miryoku and standard QWERTY. The best way to do this that I could come up with was to bind a special key on my keyboard to toggle kmonad on and off. So I wrote a service for kmonad and gave my user permission to manage it. Running kmonad as my user wouldn’t work, because kmonad needs root to create a virtual input device.
Luckily, I am running Void, so the solution was a single well-documented command. Out of curiosity I decided to take a look at what this would look like on systemd distros, leading to this meme. Honestly, I had to do a double take by the time the guy started talking about Javascript.
I feel kind of useless typing this out because you’re just gonna ignore it anyway. In my post, I am talking about needing to do X. Your response is “why are you doing X, you should do Y”. Why am I not surprised that you’re a systemd user? Do you also use Gnome by any chance?
Because they’re right, you shouldn’t do X. I know that’s not a satisfying answer for most people to hear, but it’s often one people need to hear.
If the process must run as root, then giving a user direct and unauthenticated control over it is a security vulnerability. You’ve created a quick workaround for your issue, and to be clear it is unlikely to realistically cause you problems individually, but on a larger scale that becomes a massive issue. A better solution is required rather than recommend everybody create a hole in their security like yours in order to do this thing.
If this is something that unprivileged users reasonably want to control, then this control should be possible unprivileged, or at least with limited privilege, not by simply granting permanent total control of a root service.
This is ultimately an upstream issue more than anything else.
Wait, aren’t most desktop environment support switching keyboard layout these days? For example, gnome can do that with super+space or via the language switcher in the top bar. Using a user service to do this seems overkill.
Hey. There is no reason to feel useless. Everyone has value. And the best part about Linux is that we all can make our own choices. If people hate systemd they don’t have to use it. That’s ok. Void linux I think is actually a pretty cool distro. It reminds me of the BSDs for some reason.
I use systemd because I like how it works and I think it’s well designed. As for desktops I am a huge fan of sway. Gnome isn’t bad on a laptop or tablet though. What do you use?