Let normal user restart service with /etc/sudoers

I have a service (kado-demo.service) that a normal user (kado) should be able to restart without entering any password.

I created /etc/sudoers.d/user_restart and added

kado ALL=NOPASSWD: /bin/systemctl restart kado-demo.service

Permissions:

-r--r-----   1 root root   585 Mar  5 10:47 user_restart

As user k, I now should be able to execute the given command, but this happens:

/bin/systemctl restart kado-demo.service
 ==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ===
 Authentication is required to restart 'kado-demo.service'. 
 Multiple identities can be used for authentication:
  (...)

Which is the same result as before I added the file.

The /etc/sudoers contains

#includedir /etc/sudoers.d

And I even get the same result when I add content of the user_restart file directly to /etc/sudoers.

I'm running out of ideas...

Just curious - how did you know that systemctl falls back to using Polkit? Is that in a doc, or in a configuration file somewhere?

I don't know where it's documented (it probably is documented somewhere), but the prompt in the question is a Polkit prompt: it will generate polkit log messages, and will seamlessly use a GUI prompt if a GUI polkit authentication agent is active (like it usually is on Ubuntu).

Welcome to AskUbuntu! At first glance it would appear that this would allow any user in the sudo group to start or restart a service. I believe the accepted answer is far more accurate. Cheers!

@ElderGeek This allows specifically the user userB to restart the service. It does not reference the sudo group at all.

visudo — edit the sudoers file. See man visudo.