{"id":12192,"date":"2026-04-28T19:41:00","date_gmt":"2026-04-29T00:41:00","guid":{"rendered":"https:\/\/www.rushworth.us\/lisa\/?p=12192"},"modified":"2026-05-07T15:04:28","modified_gmt":"2026-05-07T20:04:28","slug":"using-polkit-to-allow-non-priv-user-to-restart-service","status":"publish","type":"post","link":"https:\/\/www.rushworth.us\/lisa\/?p=12192","title":{"rendered":"Using polkit to allow non-priv user to restart service"},"content":{"rendered":"\n<p>As I work through automating certificate installation, most applications have a &#8220;service account&#8221; user that has write access to the SSL certificate files. However, that user does <em>not<\/em> generally have permission to restart the application service. <\/p>\n\n\n\n<p>We <em>could<\/em> get the ID added to sudoers with specific rights to manage the service &#8230; but it seemed more straightforward to use Polkit for very granular control permitting the service account to run specific verbs with systemctl. <\/p>\n\n\n\n<p>The following rule allows the &#8220;tomcatadmin&#8221; user to run systemctl <em>start, stop, or restart<\/em> with the apache-tomcat.service unit. <\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; title: ; notranslate\" title=\"\">\ncat &gt; \/etc\/polkit-1\/rules.d\/60-apache-tomcat-tomcatadmin.rules &lt;&lt;&#039;EOF&#039;\npolkit.addRule(function(action, subject) {\n    if (action.id == &quot;org.freedesktop.systemd1.manage-units&quot;) {\n        var unit = action.lookup(&quot;unit&quot;);\n        var verb = action.lookup(&quot;verb&quot;);\n\n        if (subject.user == &quot;tomcatadmin&quot; &amp;&amp;\n            unit == &quot;apache-tomcat.service&quot; &amp;&amp;\n            (verb == &quot;start&quot; || verb == &quot;stop&quot; || verb == &quot;restart&quot;)) {\n            return polkit.Result.YES;\n        }\n    }\n});\nEOF\n\n<\/pre><\/div>","protected":false},"excerpt":{"rendered":"<p>As I work through automating certificate installation, most applications have a &#8220;service account&#8221; user that has write access to the SSL certificate files. However, that user does not generally have permission to restart the application service. We could get the ID added to sudoers with specific rights to manage the service &#8230; but it seemed &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30],"tags":[47,294,2195,1195,2196],"class_list":["post-12192","post","type-post","status-publish","format-standard","hentry","category-system-administration","tag-fedora","tag-linux","tag-polkit","tag-redhat","tag-systemctl"],"_links":{"self":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/12192","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=12192"}],"version-history":[{"count":1,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/12192\/revisions"}],"predecessor-version":[{"id":12194,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/12192\/revisions\/12194"}],"wp:attachment":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=12192"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=12192"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=12192"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}