topic Using polkit allows for stopping/starting other systemd services in Splunk Enterprise

Using polkit allows for stopping/starting other systemd services

amartin6 — Wed, 10 Feb 2021 22:31:38 GMT

We upgraded to 8.1.2 and want to use workload manager, workload manager requires systemd. With 8.1.x you can allow the splunk user to stop/start the systemd splunk service, which works fine however it seems to be to broad of a configuration and also allows for stopping/starting other systemd services as well. Is there a way to lock down the polkit rule where it doesn't grant beyond the splunk service? I'll do more research on polkit to see if I can find a way but wondering if others have done this.

sh-4.2$ sudo /apps/splunk/bin/splunk enable boot-start -systemd-managed 1 -create-polkit-rules 1 -user splunk
CAUTION: The system has systemd version < 237 and polkit version > 105. With this combination, polkit rule created for this user will enable this user to manage all systemd services.Are you sure you want to continue [y/n]? y
Systemd unit file installed at /etc/systemd/system/Splunkd.service.
Polkit rules file installed at /etc/polkit-1/rules.d/10-Splunkd.rules.
Configured as systemd managed service.

sh-4.2$ sudo su - splunk

splunk@qasshd$ systemctl stop amazon-ssm-agent.service
splunk@qasshd$ systemctl status amazon-ssm-agent.service
● amazon-ssm-agent.service - amazon-ssm-agent
Loaded: loaded (/etc/systemd/system/amazon-ssm-agent.service; enabled; vendor preset: disabled)
Active: inactive (dead) since Wed 2021-02-10 22:19:39 UTC; 7s ago
Process: 1130 ExecStart=/usr/bin/amazon-ssm-agent (code=exited, status=0/SUCCESS)
Main PID: 1130 (code=exited, status=0/SUCCESS)
splunk@qasshd$ systemctl start amazon-ssm-agent.service
splunk@qasshd$ systemctl status amazon-ssm-agent.service
● amazon-ssm-agent.service - amazon-ssm-agent
Loaded: loaded (/etc/systemd/system/amazon-ssm-agent.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2021-02-10 22:19:55 UTC; 3s ago
Main PID: 5087 (amazon-ssm-agen)
Memory: 30.6M
CGroup: /system.slice/amazon-ssm-agent.service
├─5087 /usr/bin/amazon-ssm-agent
└─5101 /usr/bin/ssm-agent-worker
splunk@qasshd$

This is our rules file:

/etc/polkit-1/rules.d/10-Splunkd.rules
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.systemd1.manage-units" &&
subject.user == "splunk")
{
return polkit.Result.YES;
}
});

Re: Using polkit allows for stopping/starting other systemd services

amartin6 — Wed, 10 Feb 2021 22:37:09 GMT

splunk@qasshd$ rpm -qa polkit
polkit-0.112-26.el7.x86_64
splunk@qasshd$

Re: Using polkit allows for stopping/starting other systemd services

amartin6 — Wed, 10 Feb 2021 22:39:46 GMT

splunk@qasshd$ rpm -qa systemd
systemd-219-78.el7_9.2.x86_64

Re: Using polkit allows for stopping/starting other systemd services

dwaddle — Mon, 18 Oct 2021 17:43:19 GMT

Yes, they do. Because RHEL7's systemd and polkit are just OLD and the features you need really aren't there. See https://www.duanewaddle.com/splunk-7-2-2-and-systemd/

Re: Using polkit allows for stopping/starting other systemd services

amartin6 — Mon, 18 Oct 2021 17:57:54 GMT

Correct, the older version of polkit is what we discovered

Re: Using polkit allows for stopping/starting other systemd services

svarkhede — Tue, 19 Oct 2021 19:08:29 GMT

If systemd version is greater than 236 and polkit version is greater than 0.105 then user has access to only Splunk service managed by systemd else it gives access to all the services managed by systemd.

https://docs.splunk.com/Documentation/Splunk/8.2.2/Admin/RunSplunkassystemdservice#:~:text=file%20naming%20considerations.-,Install%20polkit%20rules%20to%20elevate%20user%20permissions,-In%20version%208.1.1