sudo user is not allowed to execute systemctl
7,392
Debugging sudo issues:
- run
sudo -l
as the user concerned to show which rights are assigned to that user. - ensure that those rights correspond to the commands you wish to allow,
commands allowed in your/etc/sudoers
and/etc/sudoers.d/*
configurations that don't include arguments will be allowed to run with any argument,
commands allowed that do include arguments in their specification, will only work with those exact arguments, nothing more and nothing less. - In case group based rights are missing, check with
id <username>
to get a listing of all groups a user belongs to. - If include files from
/etc/sudoers.d/
don't get loaded:- To include those snippets the main
/etc/sudoers
configuration file need to be configured to load those additional configuration sections with an#includedir /etc/sudoers.d
directive.
The leading pound # is not a comment but part of the directive. - The files in
/etc/sudoers.d/
should not have names that in end in~
or contain a.
character. - The files in
/etc/sudoers.d/
should should be mode 0440 and owned by root:root.
- To include those snippets the main
Related videos on Youtube
Author by
Mark Visser
Updated on September 18, 2022Comments
-
Mark Visser over 1 year
I'm trying to allow a user to use sudo to manage a custom systemctl service, this however seems to fail and I can't figure out why.
[root@testvm sudoers.d]# ll total 16 -r--r-----. 1 root root 334 Oct 9 15:42 20_appgroup -r--r-----. 1 root root 104 Sep 17 11:24 98_admins
The 'appgroup' contains this;
[root@testvm sudoers.d]# cat 20_appgroup %appgroup ALL= /usr/bin/systemctl restart test.service, /usr/bin/systemctl start test.service, /usr/bin/systemctl stop test.service, /usr/bin/systemctl status test.service
I have double checked that the user is member of the appgroup, however when this user runs sudo systemctl start test.service this results in an error saying;
Sorry, user tester is not allowed to execute '/usr/bin/systemctl start test' as root on testvm.
Any thought on what could be the issue?
-
match over 5 yearsYour sudo config says 'test.service' but you're starting 'springboot' - is that a typo or a bug?
-
Tommiie over 5 yearsThat is probably the reason why it's not working for him.
-
dortegaoh over 5 yearsAdditional things to check: is sudo configured to include files from suders.d? Is the user actually in that group (run
id
as the user)? -
Michael Hampton over 5 yearsYour sudo config says
/usr/bin/systemctl start test.service
but your user ransudo /usr/bin/systemctl start test
. -
Michael Hampton over 5 yearsAlso, see here for a way to allow the user to manage a single service without sudo by configuring PolicyKit.
-