[SOLVED] Make systemctl to fail instead of asking for authentication

dimich · 2025-03-25 21:09:21

Is it possible to prevent systemctl from asking for authentication if operation requies root permissions? For example, current behavior:

[dimich@dimich ~]$ systemctl stop cups
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ====
Authentication is required to stop 'cups.service'.
Authenticating as: root
Password:

I would like systemctl just to fail with some error message and non-zero exit status.

Last edited by dimich (2025-03-25 22:42:32)

saf1 · 2025-03-25 21:15:32

       --no-ask-password
           Do not query the user for authentication for privileged operations.

read the

man systemctl

dimich · 2025-03-25 21:27:58

saf1 wrote:

       --no-ask-password
           Do not query the user for authentication for privileged operations.

Thank you for the answer. Sorry, I didn't specify that I want it without additional command line options. Of course, it is possible to make shell alias like systemctl='systemctl --no-ask-password'. However, I though it should be some PAM or D-Bus related global option.

schard · 2025-03-25 21:39:29

It appears that there's no configuration option for this, just the command line parameter.
You could modify the source and recompile systemd.

saf1 · 2025-03-25 21:43:34

dimich wrote:

Thank you for the answer. Sorry, I didn't specify that I want it without additional command line options. Of course, it is possible to make shell alias like systemctl='systemctl --no-ask-password'. However, I though it should be some PAM or D-Bus related global option.

ok, I see that’s a bit beyond what I know. maybe someone else can help. good luck.

Last edited by saf1 (2025-03-25 21:44:23)

dimich · 2025-03-25 22:42:16

Managed to get desired behavior with polkit rule. I created /etc/polkit-1/rules.d/10-no-user-systemctl.rules:

polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.systemd1.manage-units" ||
        action.id == "org.freedesktop.systemd1.manage-unit-files" ||
        action.id == "org.freedesktop.systemd1.set-environment" ||
        action.id == "org.freedesktop.systemd1.reload-daemon" ||
        action.id == "org.freedesktop.systemd1.bypass-dump-ratelimit")
    {
        return polkit.Result.NO;
    }
});

Not sure if it doesn't break something else but it works:

[dimich@dimich ~]$ systemctl stop cups
Failed to stop cups.service: Access denied
See system logs and 'systemctl status cups.service' for details.

dimich · 2025-03-25 22:50:25

schard wrote:

You could modify the source and recompile systemd.

Yep, sources modification is always a working solution but last resort.
Thanks for suggestion to take a look into sources, from there I figured out that it uses polkit, not PAM.

Lone_Wolf · 2025-03-26 13:47:29

Not sure if it doesn't break something else

You have tested root can still use those commands ?
(If you use the wheel or sudo group you should also test that).

dimich · 2025-03-26 13:58:48

Lone_Wolf wrote:

You have tested root can still use those commands ?

Sure, systemctl managing commands work fine with sudo. As far as I know, polkit is involved for unprivileged users only.

Last edited by dimich (2025-03-26 14:05:55)

Arch Linux

#1 2025-03-25 21:09:21

[SOLVED] Make systemctl to fail instead of asking for authentication

#2 2025-03-25 21:15:32

Re: [SOLVED] Make systemctl to fail instead of asking for authentication

#3 2025-03-25 21:27:58

Re: [SOLVED] Make systemctl to fail instead of asking for authentication

#4 2025-03-25 21:39:29

Re: [SOLVED] Make systemctl to fail instead of asking for authentication

#5 2025-03-25 21:43:34

Re: [SOLVED] Make systemctl to fail instead of asking for authentication

#6 2025-03-25 22:42:16

Re: [SOLVED] Make systemctl to fail instead of asking for authentication

#7 2025-03-25 22:50:25

Re: [SOLVED] Make systemctl to fail instead of asking for authentication

#8 2025-03-26 13:47:29

Re: [SOLVED] Make systemctl to fail instead of asking for authentication

#9 2025-03-26 13:58:48

Re: [SOLVED] Make systemctl to fail instead of asking for authentication

Board footer