0

Basically, without giving the user any new permissions, I am looking to be able to write to

/sys/bus/usb/drivers/usb/unbind

and

/sys/bus/usb/drivers/usb/bind

via a systemd service running as the user and with a group.

I want to only add the necessary permissions to the group or the service, not the user.

The issue is that currently sudoers file does not work with systemd services that way.

When running sudo via sudoers file, since sudo-rs I believe, it will require PAM, which is not loaded when running a systemd service.

Thus, using sudo inside the service, even if it has the right group that is required by the custom sudoers line, it will not work and do a couple authentification retries and then move on.

From what I understand, sudo-rs does not currently supports PAMless.

A udev rule could also do.

The goal is to unbind and rebind a device after grabbing the device file's events, that way any pressed keys will unpress in the unbind and prevent stuck keys in the usb stack.

Thx~

Improve this question

2 Answers 2

Reset to default
2

When running sudo via sudoers file, since sudo-rs I believe, it will require PAM, which is not loaded when running a systemd service.

That's not how it works. Sudo's usage of PAM is completely independent of the surrounding PAM session created at login time. That is, it doesn't try to call "up" to any existing PAM environment – instead it practically creates a second nested PAM environment (with a slightly different configuration, e.g. usually it doesn't call the "systemd session" module due to being nested).

PAM as a whole isn't really something that remains "loaded", anyway. Specific PAM modules might do such things, e.g. systemd-logind "sessions", but they're outside of PAM proper, as well as being modular so that merely "having PAM" doesn't automatically mean there will be systemd-logind and all that.

Thus, using sudo inside the service, even if it has the right group that is required by the custom sudoers line, it will not work and do a couple authentification retries and then move on.

No – it will not work because a service can't answer the interactive authentication prompts. There's no keyboard input which sudo expects to receive.

Configuring a command with NOPASSWD: makes sudo skip the 'authentication' PAM stage, which makes it work from within services.

(It'll still use PAM to verify authorization and set up environment, both of which are non-interactive stages.)

Improve this answer
2
  • Well somehow, my service (a c++ process running as a user but with an additional group) does not succeeds at using the sudoer's lines crafted for the group. It does 3 authentification retries and fail because no tty. I thought the name of the auth process/tool was pam but I really do not know everything about sudo or sudo-rs. Commented Nov 6 at 16:54
  • Do those sudoers lines have NOPASSWD:? Commented Nov 6 at 17:10
1

As the question title is about a non-root service I guess you are not limited to using sudo.

I suggest you

  1. start the service as root
  2. open a file descriptor for each of these files (in shell exec 3>/sys/bus/usb/drivers/usb/unbind)
  3. drop the root privileges (e.g. with exec setpriv --reuid user --regid group /path/to/main-programm)
  4. write to the file descriptors from the unpriviliged process (in shell echo foo >&3)
Improve this answer
2
  • Very nice didn't know we could do that. I'll just have to confirm if I can use an EnvFile for the main process still, or if you happen to know, how can I run "main process" with the $USER's environment in real time. (That would be an upgrade to my current EnvFile method). Thx Commented Nov 6 at 16:50
  • @CamilleGuay setpriv does not reset the environment (unless you explicitly request that) so that should be fine. Commented Nov 6 at 22:32

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.