View Full Version : [ubuntu] Start/stop upstart jobs without sudo?
April 11th, 2012, 08:39 AM
I've got an upstart script called /etc/init/app.conf that looks like this:
description "app server"
start on started mountall
stop on shutdown
# automatically respawn:
respawn limit 99 5
exec ./app >> /var/log/app.log 2>&1
exec /root/bin/hoptoad.sh "app has started"
Currently I have to use sudo to start and stop it, e.g. "sudo start app" or "sudo stop app" and whatnot.
Is it possible to enable select users or members of a specific group to start/stop jobs without sudo? I haven't yet figured out how to do that.
April 11th, 2012, 09:49 AM
It's possible to allow a specific group to skip the password for certain programs.
%adm ALL=(ALL) NOPASSWD: /usr/bin/apt-get clean, /usr/bin/apt-get update, /usr/bin/apt-get upgrade, /usr/bin/apt-get dist-upgrade, /usr/bin/apt-get autoremove
See the manual page for sudoers (http://manpages.ubuntu.com/manpages/oneiric/en/man5/sudoers.5.html) for the picky details.
April 11th, 2012, 10:19 AM
Does that require those users to still have sudo? I'm hoping to grant users access to starting and stopping this service without granting them root privileges.
April 11th, 2012, 10:26 AM
It allows root privilege, of the group 'adm', only for for running the programs listed and only with the parameters listed. You could do it like this, assuming 'app' is the name of your startup script:
%adm ALL=(ALL) NOPASSWD: /sbin/start app, /sbin/stop app
That would allow anyone in the group 'adm' to run 'sudo start app' or 'sudo stop app' without a password but it would not allow anything else. 'sudo start ssh' or anything else would be forbidden unless specified elsewhere in /etc/sudoers
April 11th, 2012, 01:36 PM
To answer your question directly, I don't think ordinary users can run udev scripts individually -- an example of what you would want to do would be like individual users running their own cron daemon script. Lars is suggesting you add yourself to a group that doesn't need a root password to run a specific command. Its a workaround.
April 16th, 2012, 12:56 AM
Thanks everyone for your help!
Lars, I used your sudoers NOPASSWD line and created a group for the app as you suggested. Works like a charm! :)
Thanks again everyone.
Powered by vBulletin® Version 4.2.0 Copyright © 2013 vBulletin Solutions, Inc. All rights reserved.