13

I have a service in linux called appSevice When I start and stop with these commands, it works:

sudo systemctl start appSevice.service;
sudo systemctl stop  appSevice.service;

But when I try to execute these from JAVA code, for example:

Runtime.getRuntime().exec(new String[]{"systemctl", "stop", "appService.service"});

...it doesn't work and I get this error:

>  Failed to stop appService.service: Interactive authentication required

Here's my service :

[Service]
Type=simple
ExecStart=/opt/soft/v1/launchAppService.ksh start
User=Jms-User
Restart=on-abort

Is there a way to avoid this error and run the service without providing a password?

Improve this question
1
  • You could probably add an appropriate entry into '/etc/sudoers' Commented Aug 26, 2020 at 14:50

2 Answers 2

Reset to default
15

There are three ways to do it:

  1. Put appService.service in ~/.config/systemd/system/ and remove the User= line. Then you can control it with:
systemctl --user start appService.service
systemctl --user stop appService.service
  1. Add a polkit rule. I think this question is very close to what you're looking for: systemd start as unprivileged user in a group. If you are on debian/ubuntu (polkit < 106), then this would work:
/etc/polkit-1/localauthority/50-local.d/service-auth.pkla
---
[Allow yourname to start/stop/restart services]
Identity=unix-user:youname
Action=org.freedesktop.systemd1.manage-units
ResultActive=yes

If you are on Arch/Redhat (polkit >= 106), then this would work:

/etc/polkit-1/rules.d/service-auth.rules
---
polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.systemd1.manage-units" &&
        subject.user == "yourname") {
        return polkit.Result.YES;
    } });
  1. sudo. I'm not a big fan of this because sudo shouldn't need to rely on a NOPASSWD: configuration and I don't feel that it's designed to be invoked indirectly. That's what polkit is designed for.
/etc/sudoers.d/sysctl
---
youname ALL = NOPASSWD: /bin/systemctl

If this is for software you plan to distribute, I'd definitely go with the polkit solution and do it per group (per the linked answer). It means you don't have to hard-code a username, instead add whichever users you like to that group to get the functionality.

Improve this answer
2
  • For Ubuntu (polkit < 106) I have to add: ResultAny=yes and ResultInactive=yes to service-auth.pkla file Commented Mar 14, 2024 at 14:35
  • 1
    You don't want this user to have unrestricted access to systemctl for (3), so put in the entire command line, instead of just /usr/bin/systemctl. Commented Jun 13, 2024 at 17:21
4

Maybe you should create a unit from a user?

systemctl edit --user --force --full myNewUnit

A new file will open in the editor ~/.config/systemd/user/myNewUnit.service Insert content, save and work with it without root rights

systemctl enable --user myNewUnit
systemctl start --user myNewUnit
systemctl status --user myNewUnit

Or if you need to edit than open without --force

systemctl edit --user --full myNewUnit

I hope I haven't messed up anything and it will be useful

Improve this answer
1
  • In fact, a temporary file is opened in the editor. During saving its correctness is checked and then the final unit file is created Commented Oct 21, 2020 at 12:08

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.