Back to Doc.qt.io
Contact Us Blog Download Qt

System Integration

The most likely setup for running the application manager is as a systemd system service. You can of course use any init system you like, but the following sections describe how to set up the application manager with systemd, as this is the most common setup.

Basic Systemd Service

This documentation assumes that you have a basic understanding of how to set up systemd services. The application manager is "systemd notify" aware, so a basic service file should look like this:

# /etc/systemd/system/minidesk.service

[Unit]
Description=Start the minidesk application manager example

[Service]
Type=notify
ExecStart=/usr/bin/minidesk --verbose
User=minidesk-user
Group=minidesk-group
WatchdogSec=10s

[Install]
# WantedBy=your-ui.target
  • The Type field should always be notify as is expected from a modern systemd aware service.
  • The ExecStart field is obviously your application manager executable with any command line options you need.
  • The User and Group fields should be set to the user and group that will run the application manager.

    Note: The application manager should not be run as root, as this is a big and unnecessary security risk. Always create an unprivileged user to run the application manager.

  • The WatchdogSec field is optional, but recommended. It sets the watchdog timeout for the application manager. If the application manager does not send a systemd notification within this timeout, systemd will assume that the application manager has crashed and will restart it.
  • The WantedBy part is optional for testing, but needs to be enabled and adjusted for your specific target setup to enable the service to start automatically on boot.

Root Privileges for the Application Manager

Although the application manager itself should not be run with root privileges, it might still need those privileges for some operations, such as setting extended attributes on files during application installation, mounting application code into containers or cleaning up orphaned application installations. This is optional and depends on your specific setup and requirements.

In order to accomplish both these opposing goals, the application manager can be started as root user together with the --setuid <user>[:<group>]* command line option. If this is the case, the application manager will fork off a simple server (the so called sudo helper) that talks to the main process over a private socket and executes the aforementioned privileged operations on behalf of the main process.

The main process will then switch itself to the specified user and group(s), and continue as the given unprivileged user.

Please see the –setuid command line option documentation for more details on the expected values.

This can be done like so:

# /etc/systemd/system/minidesk.service

[Unit]
Description=Start the minidesk application manager example

[Service]
Type=notify
ExecStart=/usr/bin/minidesk --verbose --setuid minidesk-user:minidesk-group
WatchdogSec=10s

[Install]
# WantedBy=your-ui.target

Note: Please note that on versions before 6.10 this setup was different: you had to set the owner to root and the suid/'s' bit on the application manager executable. Then, the service had to be started as the unprivileged user and the suid-root bit would take care of starting the process initially as root. This was changed to the new scheme for two reasons: 1) the suid-root scheme can be a big security hole, if the application manager executable's execute-permissions are too liberal (as is with any suid-root executable). 2) all processes with suid-root bit set are tagged AT_SECURE by the Linux kernel and have to live with restrictions forever, even after switching back to an unprivileged user (e.g. secure_getenv(), LD_LIBRARY_PATH).

© 2025 The Qt Company Ltd. Documentation contributions included herein are the copyrights of their respective owners. The documentation provided herein is licensed under the terms of the GNU Free Documentation License version 1.3 as published by the Free Software Foundation. Qt and respective logos are trademarks of The Qt Company Ltd. in Finland and/or other countries worldwide. All other trademarks are property of their respective owners.