On an embedded Linux device (Colibri module with an iMX7d processor) I am not able to run the command systemctl suspend
as an non-root user in order to switch into suspend mode. When I log in as root user, the command is executed and the system switches to suspend mode. The same command runs on a Ubuntu PC system as an non-root user.
I would like enter the suspend mode also on the embedded Linux device without root privileges. Can anybody help me or show me the direction on how to achieve this? Any help would be greatly appreciated.
Here is the Linux kernel version of the embedded device:
$ uname -r
5.4.91-5.2.0-devel+git.c59b3c2da1e9
Here is the version of the systemctl version:
$ systemctl --version
systemd 244 (244.5+)
+PAM -AUDIT -SELINUX +IMA -APPARMOR -SMACK +SYSVINIT +UTMP -LIBCRYPTSETUP -GCRYPT -GNUTLS +ACL +XZ -LZ4 -SECCOMP +BLKID -ELFUTILS +KMOD -IDN2 -IDN -PCRE2 default-hierarchy=hybrid
To allow running root only command for other (non-root) users, you can use sudo https://linux.die.net/man/8/sudo
Assuming your non-root user that needs to be able to suspend is called: user1
Create file in /root/suspend.sh
that contains systemctl suspend
, and make sure it's mode is 0700
and owned by root:root
, e.g. run these as root:
echo 'systemctl suspend' > /root/suspend.sh
chmod 0700 /root/suspend.sh
chown root:root /root/suspend.sh
Then run visudo
as root, then add this line:
user1 ALL=(root) NOPASSWD: /root/suspend.sh
then save the file
This means that user1
can run script /root/suspend.sh
as root
user, without asking for its (user1's) password
when you want to suspend as user1, run: sudo /root/suspend.sh
With this solution, user1 can run sudo /root/suspend.sh
as root, but cannot run arbitrary command as root (unless you added the user to sudo group)
You must make sure /root/suspend.sh
is only writable by root (and that it's containing directory /root/
is also only writable by root)
If any non-root user can write to /root/suspend.sh
, then when user1 run the file it will execute the arbitrary command there.
If any non-root user can write to directory /root/
, any user can also remove/delete /root/suspend.sh
and then create new file with same name with arbitrary command.