Ubuntu – allowing user to run systemctl/systemd services without password

I want the default user, ubuntu to be able to run a specific service without being prompted for a password.

Specifically systemctl restart unicorn_my_app.service.

Have followed the instructions here to add user ubuntu to a newly created group, LimitedAdmins, which is confirmed with:

$ getent group LimitedAdmins
LimitedAdmins:x:1001:ubuntu

Created a new file, limitedadmins (using sudo vim) in the /etc/sudoers.d directory containing the following text:

%LimitedAdmins ALL=NOPASSWD: /etc/init.d/unicorn_ofn_america restart, /etc/init.d/unicorn_ofn_america start

I have also tried:

%LimitedAdmins ALL=NOPASSWD: /bin/systemctl/unicorn_ofn_america restart, /bin/systemctl/unicorn_ofn_america start

(And /bin/systemd)

Content of /etc/sudoers/ is the default as confirmed with sudo visudo (or sudo cat /etc/sudoers):

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults    env_reset
Defaults    mail_badpass
Defaults    secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

(The hash sign in #includedir is not a comment, but part of the #include directive syntax).

However there's still a password prompt following running systemctl restart unicorn_my_app.service

Service is there in the init.d directory:

$ ls -l /etc/init.d | grep unicorn
-rwxr--r-- 1 ubuntu ubuntu 1874 Oct 29 06:47 unicorn_my_app

Tried chmodding 755 on the app, but don't think that should make a difference, since ubuntu owns it anyway.

Even tried rebooting the system with no difference. Am I missing a step, like a restart/reload)? Configuring something wrong?

I should also mention that I used vim to create the new file within /etc/sudoers.d, as it seems that the visudo command is only for editing /etc/sudoers.

Best Answer

The sudoers file is fairly flexible, and with that comes complexity. What you want here is to permit access to the command /bin/systemctl, with specific parameters:

%LimitedAdmins ALL=NOPASSWD: /bin/systemctl restart unicorn_my_app.service

Basically you just take the exact command line that you would type, hard-code the path name for safety's sake, and put that into your sudoers file (or /etc/sudoers.d). And note that 'start' and 'restart' are completely different as far as sudo is concerned; permitting one won't grant access to the other.

Best Answer

Related Solutions

Ubuntu – Sudoers file, enable NOPASSWD for user, all commands

Ubuntu – Software Center prompts password of another user

Related Question