0

I want to create a systemd service that will reboot --force my system whenever GPU falls off the bus. I wrote a dedicated script for that purpose (/home/heinwol/.local/bin/reboot_after_gpu_breaks.sh). However, I don't quite understand how users and permissions work in Linux, hence my solution doesn't work.

First of all, I appended the following line to the sudoers file:

ALL ALL=(ALL:ALL) NOPASSWD:/home/heinwol/.local/bin/reboot_after_gpu_breaks.sh

Ownership and permissions of this script are shown below:

$ ls -l reboot_after_gpu_breaks.sh

-rwsr-xr-x 1 root root 384 окт 10 14:57 reboot_after_gpu_breaks.sh

And it works in the sense that I can simply run it as a regular user without sudo. However, I cannot make it to work with systemd.

More precisely, I have the following user service:

[Unit]
Description=Reboot the system when gpu falls off the bus

[Service]
Type=simple
User=heinwol
Group=heinwol
StandardOutput=journal
ExecStart="/home/heinwol/.local/bin/reboot_after_gpu_breaks.sh"
[Install]
WantedBy=default.target

When I enable this service, it shouts:

окт 10 15:28:02 heinwol-lenovo systemd[1322]: Started Reboot the system when gpu falls off the bus.
окт 10 15:28:02 heinwol-lenovo systemd[3287]: reboot_after_gpu_breaks.service: Failed to determine supplementary groups: Operation not permitted
окт 10 15:28:02 heinwol-lenovo systemd[3287]: reboot_after_gpu_breaks.service: Failed at step GROUP spawning /home/heinwol/.local/bin/reboot_after_gpu_breaks.sh: Operation not permitted
окт 10 15:28:02 heinwol-lenovo systemd[1322]: reboot_after_gpu_breaks.service: Main process exited, code=exited, status=216/GROUP
окт 10 15:28:02 heinwol-lenovo systemd[1322]: reboot_after_gpu_breaks.service: Failed with result 'exit-code'.

What am I doing wrong?

Improve this question

1 Answer 1

Reset to default
1

What is actually happening is a security feature from systemd to prevent you from using setuid in services. If you add NoNewPrivileges=false to your service file it should work properly.

However, I cannot recommend you to use setuid as it is a major security flaw.

Could you not put your service under root ?

It help avoid security flaw and even if you need to run some things in your script as a user, it is better to just switch user in a service run as root for these task rather than using the setuid. You can even remove your sudo rule in this case.

Improve this answer
2
  • Thanks a lot for your answer! Though I didn't manage it to work with just putting NoNewPrivileges=false into my service file, it seems like it's a bit more complex task. Anyways, I decided to make a system service which, of course, works. The problem now is that I want this service to be active only when my user's session is active Commented Oct 15, 2022 at 12:44
  • 1
    There are no easy way to do that. You could try to check in your script if your user is running and if not put a sleep in there to reduce load.( Though load would be irelevant) Commented Oct 20, 2022 at 21:51

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.