Trying to run “service nginx restart” from a non root user

authorizationpolkitservices

I'm pretty new to the deployment world but this is what's going on. I have a new Ubuntu (Ubuntu 16.04.4 LTS) droplet from DigitalOcean. I installed and configured nginx and everything is working smooth. I turn it on and off with: service nginx start/service nginx stop but I need to be able to do this with a different user called pepito.

When I try to run service nginx start with pepito I get:

~# service nginx restart
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ===
Authentication is required to restart 'nginx.service'.
Authenticating as: pepito
Password:

But I'm going to be running this from Capistrano so I don't want to be asked to enter the password, so I added this to visudo like this:

pepito ALL=(ALL) NOPASSWD: /usr/sbin/service nginx*

Tried again and same problem. Keep googling and reading and find out that ==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units === is a message from Polkit so I read a little about it and created the following file in: /etc/polkit-1/localauthority/50-local.d/nginx.pkla

Identity=unix-user:pepito
Action=org.freedesktop.systemd1.manage-units
ResultInactive=yes
ResultActive=yes

Of course it doesn't work when I try to start and stop nginx from pepito. I don't know what else to try!

Best Answer

With the visudo command you edited the file /etc/sudoers, which only applies if you prefix your commands with sudo, in your case sudo service nginx start.

Related Solutions

Linux – Prevent non-root user from formatting a partition

As nc3b already pointed out, this gets controlled by PolicyKit. The policy for disks is located at: /usr/share/polkit-1/actions/org.freedesktop.udisks.policy and can be adjusted.
Open it with root rights and search for the line: <action id="org.freedesktop.udisks.change">, either comment out the whole block: , or set <allow_active> to 'no', save and exit.

Check if it's disabled:

$ pkaction --verbose --action-id org.freedesktop.udisks.change
No action with action id org.freedesktop.udisks.change

Or if you've set no:

...
implicit active:   no

Good, next time you try to format a device as a non-root user, either over the context menu or over 'Disk Utility', an error message will appear an disallow it. This step will still allow the non-root user to read/write the device.

If you still want to allow formating of devices, but with a higher security level, you can force PolicyKit to ask for a password every time.
Open the same file and go to the same section, substitute the 'yes' with 'auth_admin' in allow_active:

<allow_active>auth_admin</allow_active>

Check:

$ pkaction --verbose --action-id org.freedesktop.udisks.change
...
implicit active:   auth_admin

Excellent!

Note: I've only tested this on Ubuntu, but Fedora also uses PolicyKit, so try it with a dummy drive first.

What’s the recommended way to run a service as a non-root user

Depends on the distribution but RHEL-based distros use a Bash function they source from /etc/rc.d/init.d/functions that's called daemon which is itself just a wrapper around the runuser command. From what I can tell in the source files, it's functionally identical to su in most cases, it just doesn't go through PAM (probably to avoid some chicken and egg problems in certain cases).

That's not really going to answer your objections, but it's how services do it. The cleanliness and overall conformity to logic that you're wanting is part of the motivation for things like systemd

Best Answer

Related Solutions

Linux – Prevent non-root user from formatting a partition

What’s the recommended way to run a service as a non-root user

Related Question