Dtyjlui

We have OS ubuntu 18.04. There are 2 users presented :
user1, user2. user1 is administrative account and is member of sudo group:
uid=1010(user1) gid=1010(user1) groups=1010(user1),27(sudo),110(lxd). user2 is a regular user uid=1000(user2) gid=1000(user2) groups=1000(user2).
Now, in /etc/sudoers file i have a default record for sudo group:

# Allow members of group sudo to execute any command 

%sudo   ALL=(ALL:ALL) ALL

As well as special commands allowed to be executed with administrative(root) rights for user2:

Cmnd_Alias CMD_RELOAD_PHP_FPM = /bin/systemctl reload php7.0-fpm, /bin/systemctl reload php7.2-fpm

user2 ALL=(root:root) NOPASSWD: CMD_RELOAD_PHP_FPM

At this step all is fine user2 can execute everything specified in Cmnd_Alias without entering password, so work as expected.

But when user2 tries to execute something he is not allowed to he gets prompt to enter, attention, user1 password. Not root, not his own user2, but user1 password, instead of silently or informatively denying such action:

user2@someserver:~$ /bin/systemctl restart <someservice>

==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ===

Authentication is required to restart 'someservice.service'.

Authenticating as: user1

Password:

user1 is the only member of sudo group.

grep 'sudo' /etc/group

sudo:x:27:user1

grep 'sudo' /etc/gshadow

sudo:*::user1

If user1 is removed from sudo group and user2 tries to execute same command, then he is asked to enter root password.

How can i change this behaviour, so user2 attempts would be denied instead of asking him to enter password ?

I have not enough knowledge about polkit, but it seems to be a cause of such behavior.

Line which responsible for that is :

AdminIdentities=unix-group:sudo;unix-group:admin

inside the /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf file

Commenting of the AdminIdentities=... line and restarting polkit daemon returns default behavior where root password is required for service restart.
Not sure if it's safe, or not. Probably some of community members could explain better.

Also it seems that I've found the place where default actions for systemd are described if unprivileged user is trying to perform some action with the systemd service.

It's inside the file: /usr/share/polkit-1/actions/org.freedesktop.systemd1.policy

If I'm setting values like this:

<action id="org.freedesktop.systemd1.manage-units">

        <description gettext-domain="systemd">Manage system services or other units</description>

        <message gettext-domain="systemd">Authentication is required to manage system services or other units.</message>

        <defaults>

                <allow_any>no</allow_any>

                <allow_inactive>no</allow_inactive>

                <allow_active>no</allow_active>

        </defaults>

</action>

i start to get Access denied message on trying to restart service as unprivileged user.