You are on a CentOS server, connected as a non-root user, for example here as the user owner of the tomcat installation folder, let’s call it mytomcatuser.

And when you want to stop tomcat using the systemd tomcat.service then you get an authentication request:?

systemctl stop tomcat
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ====
Authentication is required to stop 'tomcat.service'.
Authenticating as: macgiver
Password: Failed to stop tomcat.service: Connection timed out
See system logs and 'systemctl status tomcat.service' for details.

Either your user is one of the sudo users, but this would not be top security, it would mean that whoever accesses this user has the ability to perform root actions.

But if this is the case, to lift this authentication request just do :

sudo systemctl stop tomcat

Now, if your server is well secured then your user is not a sudo user, and you will need to add a new PolicyKit to Polkit.

First of all you can see that Polkit causes this authentication request:

vim /usr/share/polkit-1/actions/org.freedesktop.systemd1.policy

You get an XML content in which you find the action policy for systemd services:

<action id="org.freedesktop.systemd1.manage-units">
                <description gettext-domain="systemd">Manage system services or other units</description>
                <message gettext-domain="systemd">Authentication is required to manage system services or other units.</message>
                <defaults>
                        <allow_any>auth_admin</allow_any>
                        <allow_inactive>auth_admin</allow_inactive>
                        <allow_active>auth_admin_keep</allow_active>
                </defaults>
        </action>

We will now create a new rule in Polkit to allow your user mytomcatuser.

vim /etc/polkit-1/rules.d/57-manage-units.rules
// Allow mytomcatuser to manage tomcat.service;
// fall back to implicit authorization otherwise.
polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.systemd1.manage-units" &&
        action.lookup("unit") == "tomcat.service" &&
        subject.user == "mytomcatuser") {
        return polkit.Result.YES;
    }
});

And that’s it, the systemctl stop tomcat command executed by mytomcatuser will no longer require authentication 🙂

Partager sur les réseaux