71

I want the default user, ubuntu to be able to run a specific service without being prompted for a password.

Specifically systemctl restart unicorn_my_app.service.

Have followed the instructions here to add user ubuntu to a newly created group, LimitedAdmins, which is confirmed with:

$ getent group LimitedAdmins
LimitedAdmins:x:1001:ubuntu

Created a new file, limitedadmins (using sudo vim) in the /etc/sudoers.d directory containing the following text:

%LimitedAdmins ALL=NOPASSWD: /etc/init.d/unicorn_ofn_america restart, /etc/init.d/unicorn_ofn_america start

I have also tried:

%LimitedAdmins ALL=NOPASSWD: /bin/systemctl/unicorn_ofn_america restart, /bin/systemctl/unicorn_ofn_america start

(And /bin/systemd)

Content of /etc/sudoers/ is the default as confirmed with sudo visudo (or sudo cat /etc/sudoers):

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults    env_reset
Defaults    mail_badpass
Defaults    secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

Host alias specification


User alias specification


Cmnd alias specification


User privilege specification


root    ALL=(ALL:ALL) ALL


Members of the admin group may gain root privileges


%admin ALL=(ALL) ALL


Allow members of group sudo to execute any command


%sudo   ALL=(ALL:ALL) ALL


See sudoers(5) for more information on "#include" directives:


#includedir /etc/sudoers.d

(The hash sign in #includedir is not a comment, but part of the #include directive syntax).

However there's still a password prompt following running systemctl restart unicorn_my_app.service

Service is there in the init.d directory:

$ ls -l /etc/init.d | grep unicorn
-rwxr--r-- 1 ubuntu ubuntu 1874 Oct 29 06:47 unicorn_my_app

Tried chmodding 755 on the app, but don't think that should make a difference, since ubuntu owns it anyway.

Even tried rebooting the system with no difference. Am I missing a step, like a restart/reload)? Configuring something wrong?

I should also mention that I used vim to create the new file within /etc/sudoers.d, as it seems that the visudo command is only for editing /etc/sudoers.

UPDATE

Looks like you can edit additional sudo config files with visudo. See below.

MikeiLL
  • 953
  • 1
  • 7
  • 10

2 Answers2

90

The sudoers file is fairly flexible, and with that comes complexity. What you want here is to permit access to the command /bin/systemctl, with specific parameters:

%LimitedAdmins ALL=NOPASSWD: /bin/systemctl restart unicorn_my_app.service

Basically you just take the exact command line that you would type, hard-code the path name for safety's sake, and put that into your sudoers file (or /etc/sudoers.d). And note that 'start' and 'restart' are completely different as far as sudo is concerned; permitting one won't grant access to the other.

rosuav
  • 1,015
7

I too thought visudo only worked on /etc/sudoers but happily, I was mistaken.

visudo can be used to modify existing files in /etc/sudoers.d or create new ones. The -f parameter allows this. If the command is invoked like this:

visudo -f /etc/sudoers.d/permissions_for_subset_of_users

you can use visudo's validation capabilities to allow safe editing of sudoers.

Also, if you are using some kind of CI/CD or configuration management, you can use visudo -cf <name_of_file> to run a validation of the configuration. (our lead sysadmin provided that second piece of knowledge).

Reference: https://www.sudo.ws/man/1.8.13/visudo.man.html

darnold0714
  • 71