I have a strange issue whenever trying to stop/start a daemon as a regular user, it asks to authenticate with the credentials of another regular user - for example:
[bob@server ~]$ systemctl stop some-daemon.service
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ===
Authentication is required to manage system services or units.
Authenticating as: alice
Password:
Why is it asking for alice to authenticate when bob is logged in, and how do I fix this?
Your system is using the polkit Authorization Manager and the message is from the file /usr/share/polkit-1/actions/org.freedesktop.systemd1.policy. polkit can be configured in /etc/polkit-1 and /usr/share/polkit-1 directories, more specifically in the rules.d and actions subdirectories. See the Polkit man page for more information.
In short, the call being made is receiving a response to authenticate as an admin ( auth_admin, auth_admin_keep in manpage ).
In CentOS 7, the /etc/polkit-1/rules.d/50-default.rules file specifies an addAdminRule definition that returns users in the wheel group to authenticate as. All users in the wheel group would be presented as users to select when authentication is required. If Alice was the only user in the wheel group, this would automatically present Alice based on the rule.
Assuming Alice was not in the wheel group, this would suggest that there would be some other definitions of addAdminRule in the rules file paths that allow Alice to be presented as an admin to authenticate as when a request returns an AUTH_ADMIN/AUTH_ADMIN_KEEP response.
su - alice before starting the vnc daemon. I guess that makes alice the "owner of the session the client belongs to".
Commented
Mar 29, 2017 at 14:46
loginctl command. This could confirm or disprove my theory that polkit is asking the owner of the session to authenticate. I really can't say why alice is the owner in this case.
Commented
Mar 29, 2017 at 18:26
When managing system services, you need to do it as root not as normal user. This is indicated by $ character at the end of shell prompt.
You can either use sudo command or switch to root (root shell usually indicated by # char).
su - alice, then systemctl to start their vnc daemon, but now it asks for their authentication for every systemctl no matter what it is...
Commented
Mar 29, 2017 at 13:51
As already answered, this message comes from the Polkit Authorization Manager which is in simple words a systemd way of controlling who can do what, including managing systemd services.
For OP the right solution is to configure the service to be a user-level systemd service.
But in case of system-level services here is what you should do:
Add a rule for Polkit that would allow your user to manage the service, like this:
cat > /etc/polkit-1/rules.d/10-some-daemon.rules << POLKIT
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.systemd1.manage-units" &&
action.lookup("unit") == "some-daemon.service" &&
subject.user == "bob") {
return polkit.Result.YES;
}
});
POLKIT
...buuuuuut with systemd v219 in Centos 7, action does not have access to the unit! This has been added in v226... So you would need to allow the user to manage all units, which is most probably not what you should do...
Therefore I suggest you to switch to plain old sudo to allow your users to manage the services, for example:
cat > /etc/sudoers.d/some-daemon << SUDO
bob ALL= NOPASSWD: /bin/systemctl restart some-daemon.service
bob ALL= NOPASSWD: /bin/systemctl stop some-daemon.service
bob ALL= NOPASSWD: /bin/systemctl start some-daemon.service
SUDO
unit support in Centos 7's systemd, please upvote it too!
Check /etc/groups and sudoers rule. This can happen if a person added themselves to the wheel group and became root that way.
systemd --useras it described in this article. Otherwise, you could give sudo for each user for required services.