Search code examples
linuxsuspendsystemctl

Root privileges needed for "systemctl suspend" command


On an embedded Linux device (Colibri module with an iMX7d processor) I am not able to run the command systemctl suspend as an non-root user in order to switch into suspend mode. When I log in as root user, the command is executed and the system switches to suspend mode. The same command runs on a Ubuntu PC system as an non-root user.

I would like enter the suspend mode also on the embedded Linux device without root privileges. Can anybody help me or show me the direction on how to achieve this? Any help would be greatly appreciated.

Here is the Linux kernel version of the embedded device:

$ uname -r
5.4.91-5.2.0-devel+git.c59b3c2da1e9

Here is the version of the systemctl version:

$ systemctl --version
systemd 244 (244.5+)
+PAM -AUDIT -SELINUX +IMA -APPARMOR -SMACK +SYSVINIT +UTMP -LIBCRYPTSETUP -GCRYPT -GNUTLS +ACL +XZ -LZ4 -SECCOMP +BLKID -ELFUTILS +KMOD -IDN2 -IDN -PCRE2 default-hierarchy=hybrid

Solution

  • To allow running root only command for other (non-root) users, you can use sudo https://linux.die.net/man/8/sudo

    Assuming your non-root user that needs to be able to suspend is called: user1

    Create file in /root/suspend.sh that contains systemctl suspend, and make sure it's mode is 0700 and owned by root:root, e.g. run these as root:

    echo 'systemctl suspend' > /root/suspend.sh
    chmod 0700 /root/suspend.sh
    chown root:root /root/suspend.sh
    

    Then run visudo as root, then add this line:

    user1 ALL=(root) NOPASSWD: /root/suspend.sh
    

    then save the file

    This means that user1 can run script /root/suspend.sh as root user, without asking for its (user1's) password

    when you want to suspend as user1, run: sudo /root/suspend.sh

    With this solution, user1 can run sudo /root/suspend.sh as root, but cannot run arbitrary command as root (unless you added the user to sudo group)

    IMPORTANT CONSIDERATION:

    You must make sure /root/suspend.sh is only writable by root (and that it's containing directory /root/ is also only writable by root)

    If any non-root user can write to /root/suspend.sh, then when user1 run the file it will execute the arbitrary command there.

    If any non-root user can write to directory /root/, any user can also remove/delete /root/suspend.sh and then create new file with same name with arbitrary command.