support user units

README.md

@@ -9,6 +9,7 @@ there is no established network connection.
 ## Requirements
 
 * [NetworkManager](https://wiki.gnome.org/Projects/NetworkManager)
+* [sudo](https://www.sudo.ws/)
 
 ## Defining Trust
 
@@ -127,6 +128,21 @@ When `ttoggle` is called it will now perform the following:
 * Stop all units when connected to no network, and then start units that are
   marked `allow_offline`.
 
+
+### User Units
+
+User units may be specified by adding `,user:username` to the unit entry in the
+trusted unit file. For example, if the user `pigmonkey` has a unit
+`ssh-tunnel.service` that should only be started on trusted networks:
+
+    # echo 'ssh-tunnel.service,user:pigmonkey' >> /usr/local/etc/trusted_units
+
+When starting, stopping, or checking the status of these units `ttoggle` will
+check if the calling user is the same as the user specified for the unit. If
+the users match, the current user will be used to take the appropriate action.
+If the users do not match (for instance, when `ttoggle` is called by root),
+`sudo` will be used to take action as the specified user.
+
 ### Automation
 
 A NetworkManager dispatcher is provided to automate the toggling of trusted

ttoggle

@@ -35,30 +35,71 @@ find_nmtrust() {
     fi
 }
 
+extract_user() {
+    echo "$1" | sed 's/.*user:\([^,]*\).*/\1/'
+}
+
+user_toggle() {
+    unit_user=$(extract_user $line)
+    unit_user_id=$(id -u $unit_user)
+    unit=$(echo "$line" | cut -d ',' -f1)
+    if [ "$1" = "status" ]; then
+        command="systemctl "$1" --user $unit | grep '^\s*Active\|●'"
+    else
+        command="systemctl "$1" --user $unit"
+    fi
+    if [ $unit_user = $USER ]; then
+        eval $command
+    else
+        sudo -u "$unit_user" bash -c "export XDG_RUNTIME_DIR=/run/user/1000; $command"
+    fi
+}
+
 start() {
     if [ "$quiet" != true ]; then
-        echo "Starting trusted units"
+        echo "Starting trusted system units"
+    fi
+    systemctl start $(grep -v ',.*user:' "$UNITFILE" | cut -d ',' -f1)
+    if [ "$quiet" != true ]; then
+        echo "Starting trusted user units"
     fi
-    systemctl start $(cat "$UNITFILE" | cut -d ',' -f1)
+    grep ',.*user:' "$UNITFILE" | while read -r line; do
+        user_toggle "start" $line
+    done
 }
 
 stop() {
     if [ "$quiet" != true ]; then
-        echo "Stopping trusted units"
+        echo "Stopping trusted system units"
     fi
-    systemctl stop $(cat "$UNITFILE" | cut -d ',' -f1)
+    systemctl stop $(grep -v ',.*user:' "$UNITFILE" | cut -d ',' -f1)
+    if [ "$quiet" != true ]; then
+        echo "Stopping trusted user units"
+    fi
+    grep ',.*user:' "$UNITFILE" | while read -r line; do
+        user_toggle "stop" $line
+    done
 }
 
 start_offline() {
     stop
     if [ "$quiet" != true ]; then
-        echo "Starting trusted offline units"
+        echo "Starting trusted system offline units"
+    fi
+    systemctl start $(grep ',.*allow_offline' "$UNITFILE" | grep -v ',.*user:' | cut -d ',' -f1)
+    if [ "$quiet" != true ]; then
+        echo "Starting trusted user offline units"
     fi
-    systemctl start $(grep ',.*allow_offline' "$UNITFILE" | cut -d ',' -f1)
+    grep ',.*allow_offline' "$UNITFILE" | grep ',.*user:' | while read -r line; do
+        user_toggle "start" $line
+    done
 }
 
 status() {
-    systemctl status $(cat $UNITFILE | cut -d ',' -f1) | grep '^\s*Active\|●'
+    systemctl status $(grep -v ',.*user:' $UNITFILE | cut -d ',' -f1) | grep '^\s*Active\|●'
+    grep ',.*user:' "$UNITFILE" | while read -r line; do
+        user_toggle "status" $line
+    done
 }
 
 while getopts ":f:sxqh" opt; do