allowing user to run systemctl/systemd services without password

I want the default user, ubuntu to be able to run a specific service without being prompted for a password.

Specifically systemctl restart unicorn_my_app.service.

Have followed the instructions here to add user ubuntu to a newly created group, LimitedAdmins, which is confirmed with:

$ getent group LimitedAdmins
LimitedAdmins:x:1001:ubuntu

Created a new file, limitedadmins (using sudo vim) in the /etc/sudoers.d directory containing the following text:

%LimitedAdmins ALL=NOPASSWD: /etc/init.d/unicorn_ofn_america restart, /etc/init.d/unicorn_ofn_america start

I have also tried:

%LimitedAdmins ALL=NOPASSWD: /bin/systemctl/unicorn_ofn_america restart, /bin/systemctl/unicorn_ofn_america start

(And /bin/systemd)

Content of /etc/sudoers/ is the default as confirmed with sudo visudo (or sudo cat /etc/sudoers):

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d

(The hash sign in #includedir is not a comment, but part of the #include directive syntax).

However there's still a password prompt following running systemctl restart unicorn_my_app.service

Service is there in the init.d directory:

$ ls -l /etc/init.d | grep unicorn
-rwxr--r-- 1 ubuntu ubuntu 1874 Oct 29 06:47 unicorn_my_app

Tried chmodding 755 on the app, but don't think that should make a difference, since ubuntu owns it anyway.

Even tried rebooting the system with no difference. Am I missing a step, like a restart/reload)? Configuring something wrong?

I should also mention that I used vim to create the new file within /etc/sudoers.d, as it seems that the visudo command is only for editing /etc/sudoers.

UPDATE

Looks like you can edit additional sudo config files with visudo. See below.

2

2 Answers

The sudoers file is fairly flexible, and with that comes complexity. What you want here is to permit access to the command /bin/systemctl, with specific parameters:

%LimitedAdmins ALL=NOPASSWD: /bin/systemctl restart unicorn_my_app.service

Basically you just take the exact command line that you would type, hard-code the path name for safety's sake, and put that into your sudoers file (or /etc/sudoers.d). And note that 'start' and 'restart' are completely different as far as sudo is concerned; permitting one won't grant access to the other.

6

I too thought visudo only worked on /etc/sudoers but happily, I was mistaken.

visudo can be used to modify existing files in /etc/sudoers.d or create new ones. The -f parameter allows this. If the command is invoked like this:

visudo -f /etc/sudoers.d/permissions_for_subset_of_users

you can use visudo's validation capabilities to allow safe editing of sudoers.

Also, if you are using some kind of CI/CD or configuration management, you can use visudo -cf <name_of_file> to run a validation of the configuration. (our lead sysadmin provided that second piece of knowledge).

Reference:

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

You Might Also Like