I'm trying to set up an Upstart job to run on system startup, and that can also be started/stopped by members of a group other than sudo. With a previous version, I usedupdate-rc.d and scripts stored in /etc/init.d/ to get this working by adding %Group ALL = NOPASSWD: /etc/init.d/scriptname to my sudoers file, but I can't seem to get an equivalent working for Upstart.
I tried adding %Group ALL = NOPASSWD: /sbin/initctl start jobname to the sudoers file, but trying to run the command start jobname produces this error:
start: Rejected send message, 1 matched rules; type="method_call", sender=":1.21" (uid=1000 pid=5148 comm="start jobname " interface="com.ubuntu.Upstart0_6.Job" member="Start" error name="(unset)" requested_reply="0" destination="com.ubuntu.Upstart" (uid=0 pid=1 comm="/sbin/init")
As near as I can tell, that's a complaint about how my user account isn't given the power to send 'Start' messages in the D-Bus config file for Upstart. I haven't been able to actually find any information on how to edit that file to give a group permission to access a specific service–does such an option exist? Is there a way to edit the Sudoers file so I can run the job without editing the config file? Am I better off just sticking with the previous version?
Best Answer
You can start with finding out where the D-Bus configuration specific for Upstart is kept. See that
destination="com.ubuntu.Upstart"snippet from the error message? Now try to grep it in the folder with D-Bus config files:That
Upstart.conffile has some examples of policies. I guess you could try to figure out the format of a policy from them. Then try to allow your specific user just the actions that it needs. For instance, as in:This should permit the
pope_benedictuser to start that job.Note that the values for the 'allow' policy attributes are listed in your original error message.