[sevagh]

>"systemd runs services as independent users, it solves that!"

It's in a terrible way, too. Not sure it improved but I recall somebody once, at a company I worked at, trying to introduce per-unix-user systemd services (e.g. `graphite` user for running Graphite), and there were some atrocious steps required like `loginctl --enable-linger` and God knows what.

We moved to running everything systemd as root, it's easier (and you can specify which unixuser the actual systemd unit runs at, which is "close enough").

[Nullabillity]

Loginctl/per-user systemds are for managing interactive sessions. System services with User= is exactly the way you'd go for isolating background daemons.

[ptx]

What if you want to let a non-root user manage the systemd unit for a particular service? Is there a better way than per-user systemd instances?

[acdha]

Check example 3.4 here for a polkit policy allowing an arbitrary user to restart a single unit:

https://wiki.archlinux.org/title/Polkit

[twic]

Does this let them modify the unit file, create units, create timers, etc?

User systemd allows that kind of complete self-service, and so lets you do application deployment and management without touching the root account, which is rather nice.

[BenjiWiebe]

If they can edit a service that runs with more privileges than they have, that's a privilege escalation vulnerability.

Polkit lets a non-root user restart a root/privileged service without letting the non-root user gain privileges.

[chuckadams]

chgrp, setfacl, sudo.conf ... lots of choices.