0

I would like to allow every linux user to see the status of all systemd services.

I created these lines for the /etc/sudoers file:

ALL     ALL = NOPASSWD: /usr/bin/systemctl is-active *
ALL     ALL = NOPASSWD: /usr/bin/systemctl is-enabled *
ALL     ALL = NOPASSWD: /usr/bin/systemctl status *

Are there any security risks which I might not see at the moment?

The fact that every linux use can see the status of all services is not a security risk in my case.

Drifter104
  • 3,773
  • 2
  • 25
  • 39
guettli
  • 3,591
  • 17
  • 72
  • 123

4 Answers4

3

You're doing this wrong. You should set the policies using polkit, as systemctl binary itself asks the system if user is allowed to perform an operation. E.g.

/etc/polkit-1/rules.d/50-default.rules:

polkit.addAdminRule(function(action, subject) {
    return ["unix-group:wheel"]; });

means that any user from the wheel group can do anything (including service stop/start). There are more extensive examples, questions and the code itself.

Tomasz Pala
  • 408
  • 2
  • 6
2

All your listed systemctl commands (status, is-enabled, is-active) can be invoked by any regular user, no root necessary.

You don't need sudo here.

Gerald Schneider
  • 23,274
  • 8
  • 57
  • 89
1

systemctl status usually invokes less which allows you to write the output under any filename and directory by using the built-in command s. If invoked via sudo this file will be created as root and can overwrite any existing file, allowing an unprivileged user to cause damages.

To go further, if your systemctl output contains valid commands, they can be run as root if this file gets created under /etc/cron.hourly, for example.

Gerald Schneider
  • 23,274
  • 8
  • 57
  • 89
bemyguest
  • 11
  • 1
1

it's safe, as long as you are running a recent version of sudo, env_reset is enabled and the usual caveats

Luca Gibelli
  • 2,731
  • 1
  • 22
  • 30