-1

I would like to allow all users (or maybe only some of them but all would already be good) to be able to start/stop a specific systemd service.

I found the following solution 

#include <stdlib.h>
#include <unistd.h>

int main(void)
{
    execl("/usr/bin/systemctl", "systemctl", "start", "myService", NULL);
    return(EXIT_SUCCESS);
}

gcc allow.c -o allow
chown root:root allow
chmod 4755 allow

That seems to do the trick but I am wondering if this is acceptable security-wise or if there are other options (I am using CentOS 7)

Update: this is bad practice. "sudo" is your best friend here since the command has specific non variable arguments it can be allowed in the sudoers file.

Jerome WAGNER
  • 193
  • 1
  • 1
  • 8
  • 2
    Please look up `man sudo` – Sven Sep 11 '14 at 18:14
  • @SvW I knew sudo but did not know that you can impose a specific command **with arguments** in sudoers. Thanks for bringing me on the right path. – Jerome WAGNER Sep 11 '14 at 18:27
  • This took me way too long to figure out, and this closed question is a top result in google, so... If you add a line like: someuser ALL=(root) NOPASSWD: /usr/bin/systemctl restart foobar.service make sure it's near the bottom of the file; beneath lines like: %wheel ALL=(ALL) ALL sudo uses the last matching line in sudoers for your task, so if the %wheel line (requires password) was below your specific command line (allows now password), your user will still be required to enter their password if that user is in the wheel group. – bobpaul Feb 21 '15 at 17:23

2 Answers2

1

Since the command has specific arguments that are non variable, it can fit in the sudoers file.

so the answer is : man sudo

Jerome WAGNER
  • 193
  • 1
  • 1
  • 8
1

execl preserves the environment variables. A user could use environment variables to change which libraries are loaded by systemctl, they could potentially cause arbitrary code to get executed by systemctl.

kasperd
  • 30,455
  • 17
  • 76
  • 124