[Nix-dev] Setuid wrapper for bash script
Bjørn Forsman
bjorn.forsman at gmail.com
Wed Sep 14 19:38:22 CEST 2016
On 14 September 2016 at 19:29, Daniel Hlynskyi <abcz2.uprola at gmail.com> wrote:
> Hi. I want to allow some user to restart systemd service. I found that
> setuid wrappers should be used for this task. Here is what I've written:
>
> environment.systemPackages = [
> (pkgs.writeScriptBin "restart-defenders" ''
> #!${pkgs.bash}/bin/bash
> systemctl restart defenders.service
> '')
> ];
>
> security.setuidPrograms = [ "restart-defenders" ];
>
> File was created
>
> # ls -la /var/setuid-wrappers/restart-defenders
> -r-s--x--x 1 root root 12856 Sep 14 17:17
> /var/setuid-wrappers/restart-defenders
>
> But when running as normal user I get
>
> $ restart-defenders
> ==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ===
> Authentication is required to restart 'defenders.service'.
> Multiple identities can be used for authentication:
> 1. System administrator (root)
> 2: ...
>
> What am I doing wrong?
Shell scripts cannot be setuid:
http://stackoverflow.com/questions/18698976/suid-not-working-with-shell-script
Best regards,
Bjørn Forsman
More information about the nix-dev
mailing list