| 1 |
// polkit rule: let the `sando` user START (only) the self-update template unit. |
| 2 |
// |
| 3 |
// Install at /etc/polkit-1/rules.d/10-sando-update.rules. |
| 4 |
// |
| 5 |
// This is the one privilege bridge that makes controller self-deploy work: |
| 6 |
// sandod runs unprivileged and triggers `systemctl start sando-update@<sha>`, |
| 7 |
// which polkit authorizes here without a password. The grant is deliberately |
| 8 |
// narrow — only `start`, only units whose name begins `sando-update@`, only the |
| 9 |
// sando user. stop/restart/enable and every other unit fall through to the |
| 10 |
// system default policy (i.e. denied for an unprivileged caller). |
| 11 |
polkit.addRule(function(action, subject) { |
| 12 |
if (action.id === "org.freedesktop.systemd1.manage-units" && |
| 13 |
subject.user === "sando") { |
| 14 |
var unit = action.lookup("unit"); |
| 15 |
var verb = action.lookup("verb"); |
| 16 |
if (verb === "start" && unit && unit.indexOf("sando-update@") === 0) { |
| 17 |
return polkit.Result.YES; |
| 18 |
} |
| 19 |
} |
| 20 |
}); |
| 21 |
|