23

Background: I have a development machine with LAMP setup. Several developers would access the machine from time to time. Every time they make some change in a configuration file they will need to restart the apache server using sudo service apache restart or sudo /etc/init.d/apache2 restart

The Question:

What I want now is that every developer who accesses the machine does not have a sudo access to everything. Rather, he/she should only be able to run the service command using sudo and nothing else. Is it possible to do that?

Ankit
  • 1,111
  • 2
  • 12
  • 25

1 Answers1

37

Yes.

Make a new group, web (call it what you wish)

sudo addgroup web

Add your developer(s) to the web group (use their login name).

sudo adduser your_developer_user web

Then run sudo visudo -f /etc/sudoers.d/somefile (use a meaningful name instead of somefile).

Add in a line (use the full path of the command):

%web ALL=(ALL) /usr/bin/service apache2 *

The developers can then run 

sudo service apache

using their login password.

Do NOT add your admin user to the web group.

See man sudoers for additional information

muru
  • 193,181
  • 53
  • 473
  • 722
Panther
  • 100,877
  • 19
  • 193
  • 283
  • 1
    @Ankit: that way the users of `web` group can start/stop any service, and this is not what you want, I think. The solution should be to put the exact command (also with parameters) in `/etc/sudoers`. – enzotib Dec 27 '11 at 10:23
  • @enzotib can i do that to i mean so the new command would be `/usr/bin/service apache2` is it? – Ankit Dec 27 '11 at 12:08
  • 3
    @Ankit: `/usr/bin/service apache2 *` – enzotib Dec 27 '11 at 13:10
  • This should also probably be `/usr/sbin/service` – Erfan May 26 '16 at 13:19