allowing user to run systemctl/systemd services without password
Solution 1
The sudoers file is fairly flexible, and with that comes complexity. What you want here is to permit access to the command /bin/systemctl
, with specific parameters:
%LimitedAdmins ALL=NOPASSWD: /bin/systemctl restart unicorn_my_app.service
Basically you just take the exact command line that you would type, hard-code the path name for safety's sake, and put that into your sudoers file (or /etc/sudoers.d
). And note that 'start' and 'restart' are completely different as far as sudo is concerned; permitting one won't grant access to the other.
Solution 2
I too thought visudo only worked on /etc/sudoers
but happily, I was mistaken.
visudo
can be used to modify existing files in /etc/sudoers.d
or create new ones. The -f parameter allows this. If the command is invoked like this:
visudo -f /etc/sudoers.d/permissions_for_subset_of_users
you can use visudo's validation capabilities to allow safe editing of sudoers.
Also, if you are using some kind of CI/CD or configuration management, you can use visudo -cf <name_of_file>
to run a validation of the configuration. (our lead sysadmin provided that second piece of knowledge).
Reference: https://www.sudo.ws/man/1.8.13/visudo.man.html
Related videos on Youtube
MikeiLL
Mike Kilmer began blogging in the mid-nineties for his web diary, Obliteration and through work as a web developer, branched out into professional blogging in 2010. Relatively experienced in php, css and wordpress and learning python and more javascript and unix/linux.
Updated on September 18, 2022Comments
-
MikeiLL over 1 year
I want the default user,
ubuntu
to be able to run a specific service without being prompted for a password.Specifically
systemctl restart unicorn_my_app.service
.Have followed the instructions here to add user
ubuntu
to a newly created group,LimitedAdmins
, which is confirmed with:$ getent group LimitedAdmins LimitedAdmins:x:1001:ubuntu
Created a new file,
limitedadmins
(usingsudo vim
) in the/etc/sudoers.d
directory containing the following text:%LimitedAdmins ALL=NOPASSWD: /etc/init.d/unicorn_ofn_america restart, /etc/init.d/unicorn_ofn_america start
I have also tried:
%LimitedAdmins ALL=NOPASSWD: /bin/systemctl/unicorn_ofn_america restart, /bin/systemctl/unicorn_ofn_america start
(And
/bin/systemd
)Content of
/etc/sudoers/
is the default as confirmed withsudo visudo
(orsudo cat /etc/sudoers
):# # This file MUST be edited with the 'visudo' command as root. # # Please consider adding local content in /etc/sudoers.d/ instead of # directly modifying this file. # # See the man page for details on how to write a sudoers file. # Defaults env_reset Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" # Host alias specification # User alias specification # Cmnd alias specification # User privilege specification root ALL=(ALL:ALL) ALL # Members of the admin group may gain root privileges %admin ALL=(ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL # See sudoers(5) for more information on "#include" directives: #includedir /etc/sudoers.d
(The hash sign in
#includedir
is not a comment, but part of the #include directive syntax).However there's still a password prompt following running
systemctl restart unicorn_my_app.service
Service is there in the
init.d
directory:$ ls -l /etc/init.d | grep unicorn -rwxr--r-- 1 ubuntu ubuntu 1874 Oct 29 06:47 unicorn_my_app
Tried chmodding
755
on the app, but don't think that should make a difference, sinceubuntu
owns it anyway.Even tried rebooting the system with no difference. Am I missing a step, like a restart/reload)? Configuring something wrong?
I should also mention that I used
vim
to create the new file within/etc/sudoers.d
, as it seems that thevisudo
command is only for editing/etc/sudoers
.UPDATE
Looks like you can edit additional sudo config files with
visudo
. See below.-
Raedwald over 7 years
-
Admin almost 2 yearsSee also this answer for 3 possible solutions to this problem unix.stackexchange.com/a/606476/13772 (user service, polkit, sudo).
-
-
MikeiLL over 8 yearsDoesn't seem to be working. I can copy
/bin/systemctl restart unicorn_my_app.service
directly from the/etc/sudoers.d/limitedadmins
file and run it in the CLI, and am prompted for a password. Does userubuntu
need tp be specified somewhere or doesALL
open it up to all users for all domains? -
rosuav over 7 yearsYou would run
sudo /bin/systemctl restart unicorn_my_app.service
and it should then run without a password. (posting as comment in case PsiOps's answer is separated from this one) -
kabirbaidhya over 7 years@rosuav Is there any way so that we can run it directly like
systemctl restart myapp.service
without usingsudo
. -
rosuav over 7 yearsNot really, but you could put the command into a script (complete with the sudo prefix), and then put that script onto $PATH. Or make it a shell alias.
-
guettli over 7 yearsAttention: On other distros
systemctl
is in/usr/bin
:-(. -
mvw over 5 yearsThis was helpful. Also nice to emphasize the differences between start and restart. Thank you.