systemd: Grant an unprivileged user permission to alter one specific service

Shadur asked:

I’m running a private game server on a headless linux box. Because I’m not an idiot, said server is running as its own unprivileged user with the bare minimum access rights it needs to download updates and modify the world database.

I also created a systemd unit file to properly start, stop and restart the server when needed (for said updates, for example).

However, in order to actually call systemctl or service <game> start/stop/restart I still need to log in as either root or a sudo capable user.

Is there a way to tell systemd that for the <game> service, unprivileged user gamesrv is permitted to run the start/stop/restart commands?

My answer:

I can think of two ways to do this:

One is by making the service a user service rather than a system service.

Instead of creating a system unit, the systemd unit will be placed under the service user’s home directory, at $HOME/.config/systemd/user/daemon-name.service. The same user can then manage the service with systemctl --user <action> daemon-name.service.

To allow the user unit to start at boot, root must enable linger for the account, i.e. sudo loginctl enable-linger username. The unit must also be

The other way is by allowing the user access to manage the system unit via PolicyKit. This requires systemd 226 or higher.

You would create a new PolicyKit configuration file, e.g. /etc/polkit-1/rules.d/57-manage-daemon-name.rules which checks for the attributes you want to permit. For example:

// Allow alice to manage example.service;
// fall back to implicit authorization otherwise.
polkit.addRule(function(action, subject) {
    if ( == "org.freedesktop.systemd1.manage-units" &&
        action.lookup("unit") == "example.service" &&
        subject.user == "alice") {
        return polkit.Result.YES;

The named user can then manage the named service with systemctl and without using sudo.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.