[alternative found] Allow a user to start/stop a certain systemd unit

And1G · 2013-08-24 15:22:50

Hello!

I recently discovered the advantages of using Calibre to organize E-Books over a simple file system structure.
Now I came up with the idea to run the Calibre web interface on a Raspberry Pi (I know...).

But since you can't really manage the database over the web interface, I need do sync it with my computer. I do this with rsync and it works just fine with one drawback: you have to restart Calibre so that it recognizes the changes.

Calibre runs as the user "calibre". Now since I already use rsync over ssh I came up with the idea, that I could write a script that logs in as the user, stops Calibre, syncs the database, starts Calibre. But of course systemd does not let the user start/stop the corresponding unit.

To work around this, I came up with the idea of writing two scripts in /usr/local/bin/ so that the user has no write permission. One for start and one for stop, containing just "systemd start/stop calibre.service" and allowing sudo operation for the user "calibre" without password for these two files. But I am not quite sure if this could be considered as safe.
Is there an "official" way to allow a certain user to start/stop a certain unit?

Last edited by And1G (2013-09-14 11:41:15)

salafrance · 2013-09-01 18:38:50

A simple way would be to write a small C program to run systemctl setuid root.

cju · 2013-09-01 18:44:52

Perhaps this helps: https://wiki.archlinux.org/index.php/Systemd/User

firecat53 · 2013-09-01 18:54:46

Here's the service I use to run the calibre server:

[Unit]
Description=Calibre Server
After=network.target

[Service]
Type=forking
PIDFile=/run/calibre-server.pid
ExecStart=/usr/bin/calibre-server \
    --daemonize \
        --port=8888 \
    --pidfile=/run/calibre-server.pid \
        --with-library=/mnt/media/ebooks/calibre/ \
    --url-prefix /calibre
Restart=on-abort

[Install]
WantedBy=multi-user.target

Then I have a cron job (root) setup to restart calibre-server hourly:

11 * * * *      ID=restart_calibre      /usr/bin/systemctl restart calibre-server

This automatically picks up changes at most an hour later (web usage for my family is very low), and doesn't require any additional hackery to setup user-level systemd services.

Hope that helps!
Scott

And1G · 2013-09-01 20:32:25

salafrance wrote:

A simple way would be to write a small C program to run systemctl setuid root.

So perhaps like this?

#include <stdlib.h>
#include <unistd.h>

int main(void)
{
	execl("/usr/bin/systemctl", "systemctl", "start", "calibre", NULL);
	return(EXIT_SUCCESS);
}

compiled it, then "chown root:root test", "chmod u+s test" and it worked.
But is this safe? I have absolutely no knowledge about potential security issues...

I also have thought about periodically restarting calibre, but on the Raspberry Pi, with it's slow ARM, the start takes ages and the processor is completely busy with that task for some minutes.
And that's the reason why I also want to avoid starting an entire second systemd session... Or is this not that resource intensive?

nomorewindows · 2013-09-01 20:58:13

Maybe you could just use sudo.

And1G · 2013-09-01 21:44:04

Is it possible to allow "sudo systemctl start calibre" but disallow for example "sudo systemctl stop important-service"?
Or do you mean I could write two scripts containing the two commands and whitelist them for sudo without password?

Raynman · 2013-09-01 21:59:39

And1G wrote:

Is it possible to allow "sudo systemctl start calibre" but disallow for example "sudo systemctl stop important-service"?
Or do you mean I could write two scripts containing the two commands and whitelist them for sudo without password?

Yes, you can specify the exact arguments or some kind of pattern. If you also limit this to one user, this is better than your own primitive setuid binary. Using scripts just complicates matters -- adds more files to maintain and secure.

nomorewindows · 2013-09-01 22:15:38

I use sudo to ran pacman/yaourt.

progandy · 2013-09-01 23:00:21

You should try the --auto-reload option first. It should refresh the db if the timestamp of metadata.db changes.

Edit: You might also want to try COPS: http://blog.slucas.fr/en/oss/calibre-opds-php-server

Last edited by progandy (2013-09-01 23:10:22)

cookies · 2013-09-02 17:16:51

And1G wrote:

To work around this, I came up with the idea of writing two scripts in /usr/local/bin/ so that the user has no write permission. One for start and one for stop, containing just "systemd start/stop calibre.service" and allowing sudo operation for the user "calibre" without password for these two files. But I am not quite sure if this could be considered as safe.

I have set up sudo so I can run sudo cpupower and sudo vbetool without password. You can do the same for your two scripts in /usr/local/bin if you want to work with sudo, just check the man page. And as long as no one can make unauthorized changes to your scripts it should be safe.

And1G · 2013-09-14 11:40:44

progandy wrote:

You should try the --auto-reload option first. It should refresh the db if the timestamp of metadata.db changes.

This solution works! Thank you, I did not know this switch.

progandy wrote:

Edit: You might also want to try COPS: http://blog.slucas.fr/en/oss/calibre-opds-php-server

I will try this out when I have some spare time.

Arch Linux

#1 2013-08-24 15:22:50

[alternative found] Allow a user to start/stop a certain systemd unit

#2 2013-09-01 18:38:50

Re: [alternative found] Allow a user to start/stop a certain systemd unit

#3 2013-09-01 18:44:52

Re: [alternative found] Allow a user to start/stop a certain systemd unit

#4 2013-09-01 18:54:46

Re: [alternative found] Allow a user to start/stop a certain systemd unit

#5 2013-09-01 20:32:25

Re: [alternative found] Allow a user to start/stop a certain systemd unit

#6 2013-09-01 20:58:13

Re: [alternative found] Allow a user to start/stop a certain systemd unit

#7 2013-09-01 21:44:04

Re: [alternative found] Allow a user to start/stop a certain systemd unit

#8 2013-09-01 21:59:39

Re: [alternative found] Allow a user to start/stop a certain systemd unit

#9 2013-09-01 22:15:38

Re: [alternative found] Allow a user to start/stop a certain systemd unit

#10 2013-09-01 23:00:21

Re: [alternative found] Allow a user to start/stop a certain systemd unit

#11 2013-09-02 17:16:51

Re: [alternative found] Allow a user to start/stop a certain systemd unit

#12 2013-09-14 11:40:44

Re: [alternative found] Allow a user to start/stop a certain systemd unit

Board footer