Skip to main content
Unix & Linux

Return to Answer

add missing "," in Cmnd_List of Cmnd_Alias
Source Link
PerlDuck
PerlDuck
  • 248
  • 2
  • 11

First of all, you don't put a unit file in the directory /etc/systemd/system/multi-user.target.wants. This directory is maintained by systemd and the systemctl commands. Put the unit file in /etc/systemd/system instead and then enable it with

sudo systemctl enable publicapi.service

This will create a symlink below multi-user.target.wants (or wherever, systemctl knows better) to honor the lines

[Install]
WantedBy=multi-user.target

in the unit.

Next, create a sudoers file below /etc/sudoers.d:

sudo visudo -f /etc/sudoers.d/techops

with the following content:

Cmnd_Alias HANDLE_PUBLICAPI = \
    /bin/systemctl start   publicapi.service, \
    /bin/systemctl stop    publicapi.service, \
    /bin/systemctl restart publicapi.service

techops ALL = (root) NOPASSWD: HANDLE_PUBLICAPI

Do not use a regular editor (e.g. sudo vim /etc/sudoers.d/techops) to edit that file because if you put any syntax errors in it you won't be able to run sudo again. visudo on the other hand checks the syntax of the file before leaving the editor.

Now the user techops can run

sudo systemctl start publicapi.service

and the other two without supplying a password. Note that you must type the command and parameters exactly as given in the sudoers file (except for the /bin/systemctl part which can be shortened to just systemctl).

For instance, sudo /bin/systemctl start publicapi (whithout .service) would ask for a password.

First of all, you don't put a unit file in the directory /etc/systemd/system/multi-user.target.wants. This directory is maintained by systemd and the systemctl commands. Put the unit file in /etc/systemd/system instead and then enable it with

sudo systemctl enable publicapi.service

This will create a symlink below multi-user.target.wants (or wherever, systemctl knows better) to honor the lines

[Install]
WantedBy=multi-user.target

in the unit.

Next, create a sudoers file below /etc/sudoers.d:

sudo visudo -f /etc/sudoers.d/techops

with the following content:

Cmnd_Alias HANDLE_PUBLICAPI = \
    /bin/systemctl start   publicapi.service \
    /bin/systemctl stop    publicapi.service \
    /bin/systemctl restart publicapi.service

techops ALL = (root) NOPASSWD: HANDLE_PUBLICAPI

Do not use a regular editor (e.g. sudo vim /etc/sudoers.d/techops) to edit that file because if you put any syntax errors in it you won't be able to run sudo again. visudo on the other hand checks the syntax of the file before leaving the editor.

Now the user techops can run

sudo systemctl start publicapi.service

and the other two without supplying a password. Note that you must type the command and parameters exactly as given in the sudoers file (except for the /bin/systemctl part which can be shortened to just systemctl).

For instance, sudo /bin/systemctl start publicapi (whithout .service) would ask for a password.

First of all, you don't put a unit file in the directory /etc/systemd/system/multi-user.target.wants. This directory is maintained by systemd and the systemctl commands. Put the unit file in /etc/systemd/system instead and then enable it with

sudo systemctl enable publicapi.service

This will create a symlink below multi-user.target.wants (or wherever, systemctl knows better) to honor the lines

[Install]
WantedBy=multi-user.target

in the unit.

Next, create a sudoers file below /etc/sudoers.d:

sudo visudo -f /etc/sudoers.d/techops

with the following content:

Cmnd_Alias HANDLE_PUBLICAPI = \
    /bin/systemctl start   publicapi.service, \
    /bin/systemctl stop    publicapi.service, \
    /bin/systemctl restart publicapi.service

techops ALL = (root) NOPASSWD: HANDLE_PUBLICAPI

Do not use a regular editor (e.g. sudo vim /etc/sudoers.d/techops) to edit that file because if you put any syntax errors in it you won't be able to run sudo again. visudo on the other hand checks the syntax of the file before leaving the editor.

Now the user techops can run

sudo systemctl start publicapi.service

and the other two without supplying a password. Note that you must type the command and parameters exactly as given in the sudoers file (except for the /bin/systemctl part which can be shortened to just systemctl).

For instance, sudo /bin/systemctl start publicapi (whithout .service) would ask for a password.

Source Link
PerlDuck
PerlDuck
  • 248
  • 2
  • 11

First of all, you don't put a unit file in the directory /etc/systemd/system/multi-user.target.wants. This directory is maintained by systemd and the systemctl commands. Put the unit file in /etc/systemd/system instead and then enable it with

sudo systemctl enable publicapi.service

This will create a symlink below multi-user.target.wants (or wherever, systemctl knows better) to honor the lines

[Install]
WantedBy=multi-user.target

in the unit.

Next, create a sudoers file below /etc/sudoers.d:

sudo visudo -f /etc/sudoers.d/techops

with the following content:

Cmnd_Alias HANDLE_PUBLICAPI = \
    /bin/systemctl start   publicapi.service \
    /bin/systemctl stop    publicapi.service \
    /bin/systemctl restart publicapi.service

techops ALL = (root) NOPASSWD: HANDLE_PUBLICAPI

Do not use a regular editor (e.g. sudo vim /etc/sudoers.d/techops) to edit that file because if you put any syntax errors in it you won't be able to run sudo again. visudo on the other hand checks the syntax of the file before leaving the editor.

Now the user techops can run

sudo systemctl start publicapi.service

and the other two without supplying a password. Note that you must type the command and parameters exactly as given in the sudoers file (except for the /bin/systemctl part which can be shortened to just systemctl).

For instance, sudo /bin/systemctl start publicapi (whithout .service) would ask for a password.