65

I want the default user, ubuntu to be able to run a specific service without being prompted for a password.

Specifically systemctl restart unicorn_my_app.service.

Have followed the instructions here to add user ubuntu to a newly created group, LimitedAdmins, which is confirmed with:

$ getent group LimitedAdmins
LimitedAdmins:x:1001:ubuntu

Created a new file, limitedadmins (using sudo vim) in the /etc/sudoers.d directory containing the following text:

%LimitedAdmins ALL=NOPASSWD: /etc/init.d/unicorn_ofn_america restart, /etc/init.d/unicorn_ofn_america start

I have also tried:

%LimitedAdmins ALL=NOPASSWD: /bin/systemctl/unicorn_ofn_america restart, /bin/systemctl/unicorn_ofn_america start

(And /bin/systemd)

Content of /etc/sudoers/ is the default as confirmed with sudo visudo (or sudo cat /etc/sudoers):

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults    env_reset
Defaults    mail_badpass
Defaults    secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

(The hash sign in #includedir is not a comment, but part of the #include directive syntax).

However there's still a password prompt following running systemctl restart unicorn_my_app.service

Service is there in the init.d directory:

$ ls -l /etc/init.d | grep unicorn
-rwxr--r-- 1 ubuntu ubuntu 1874 Oct 29 06:47 unicorn_my_app

Tried chmodding 755 on the app, but don't think that should make a difference, since ubuntu owns it anyway.

Even tried rebooting the system with no difference. Am I missing a step, like a restart/reload)? Configuring something wrong?

I should also mention that I used vim to create the new file within /etc/sudoers.d, as it seems that the visudo command is only for editing /etc/sudoers.

UPDATE

Looks like you can edit additional sudo config files with visudo. See below.

MikeiLL
  • 893
  • 1
  • 7
  • 9
  • See also http://unix.stackexchange.com/questions/192706/how-could-we-allow-non-root-users-to-control-a-system-d-service – Raedwald Feb 07 '17 at 14:29
  • See also this answer for 3 possible solutions to this problem https://unix.stackexchange.com/a/606476/13772 (user service, polkit, sudo). – bstpierre Jun 16 '22 at 11:36

2 Answers2

81

The sudoers file is fairly flexible, and with that comes complexity. What you want here is to permit access to the command /bin/systemctl, with specific parameters:

%LimitedAdmins ALL=NOPASSWD: /bin/systemctl restart unicorn_my_app.service

Basically you just take the exact command line that you would type, hard-code the path name for safety's sake, and put that into your sudoers file (or /etc/sudoers.d). And note that 'start' and 'restart' are completely different as far as sudo is concerned; permitting one won't grant access to the other.

rosuav
  • 925
  • 7
  • 5
  • 1
    Doesn't seem to be working. I can copy `/bin/systemctl restart unicorn_my_app.service` directly from the `/etc/sudoers.d/limitedadmins` file and run it in the CLI, and am prompted for a password. Does user `ubuntu` need tp be specified somewhere or does `ALL` open it up to all users for all domains? – MikeiLL Nov 01 '15 at 21:37
  • 13
    You would run `sudo /bin/systemctl restart unicorn_my_app.service` and it should then run without a password. (posting as comment in case PsiOps's answer is separated from this one) – rosuav Oct 18 '16 at 14:26
  • 1
    @rosuav Is there any way so that we can run it directly like `systemctl restart myapp.service` without using `sudo`. – kabirbaidhya Nov 17 '16 at 06:22
  • Not really, but you could put the command into a script (complete with the sudo prefix), and then put that script onto $PATH. Or make it a shell alias. – rosuav Nov 18 '16 at 04:56
  • 6
    Attention: On other distros `systemctl` is in `/usr/bin` :-(. – guettli Dec 19 '16 at 08:09
  • This was helpful. Also nice to emphasize the differences between start and restart. Thank you. – mvw Feb 12 '19 at 15:33
6

I too thought visudo only worked on /etc/sudoers but happily, I was mistaken.

visudo can be used to modify existing files in /etc/sudoers.d or create new ones. The -f parameter allows this. If the command is invoked like this:

visudo -f /etc/sudoers.d/permissions_for_subset_of_users

you can use visudo's validation capabilities to allow safe editing of sudoers.

Also, if you are using some kind of CI/CD or configuration management, you can use visudo -cf <name_of_file> to run a validation of the configuration. (our lead sysadmin provided that second piece of knowledge).

Reference: https://www.sudo.ws/man/1.8.13/visudo.man.html

darnold0714
  • 61
  • 1
  • 2