16

I have got my webserver application starting on boot using upstart. This is the upstart script:

# web app node upstart file at /etc/init/webapp.conf

description "web application"

start on started mongodb
stop on runlevel [06]

respawn
respawn limit 10 100

env NODE_ENV=production

pre-start script
    ulimit -n 2048
end script

exec start-stop-daemon --start -c mainuser --exec /usr/bin/make -- -C /home/mainuser/app start-prod

This works flawlessly on Ubuntu server 10.04 LTS and I'm very happy about it.

However, I have a deployment shell script which logs in using SSH as mainuser (this is not a sudoer) and will then update the working directory to the latest deployment version.

The issue here is that the service needs to be restarted so that the applications loads the new source files. However, mainuser gets a...

mainuser@Saturn101:~$ stop webapp
-bash: stop: command not found

...when trying to stop it. I have to run sudo stop webapp, but this user cannot do this as he is not a sudoer. For security reasons I don't want him to be a sudoer either, plus I do not want to insert the sudo password.

So how do I allow mainuser to run stop webapp and start webapp?

Tom
  • 601
  • 2
  • 8
  • 15
  • 1
    What security issues are you worried about by adding the user into sudoers? You can write a rule that allows the user only a specific command and no more, also you can include a nopasswd option to keep away the password prompt. As for the specific error your getting, that is because start/stop are in /sbin, which usually isn't part of normal users' path. So you can do "/sbin/stop", or add sbin to the path. This may work as long as there are no other items in the start/stop script that requires root. – Derek Pressnall May 19 '12 at 18:13
  • @DerekPressnall, thanks, but when I run `/sbin/stop webapp` I get `stop: Unable to connect to system bus: Failed to connect to socket /var/run/dbus/system_bus_socket: No such file or directory`. How would I allow `mainuser` to only execute this command? – Tom May 19 '12 at 18:42
  • The error is a result of this user not having admin rights. – Tom May 19 '12 at 19:03

1 Answers1

31

sudo is very configurable, you can allow this user to execute a limited set of commands without prompting for a password. The following line in /etc/sudoers should do what you want:

mainuser ALL = (root) NOPASSWD: /sbin/start webapp, /sbin/stop webapp
mgorven
  • 30,036
  • 7
  • 76
  • 121
  • 1
    Excellent, thanks a lot. Did you really learn all this from `man sudoers`? I found it to be quite difficult to parse. – Tom May 19 '12 at 23:06
  • 1
    No, I've done this before. It isn't the easiest manpage to decipher :-) – mgorven May 19 '12 at 23:11
  • Fails with `Unable to connect to system bus`. More: [Allow non-sudo group to control Upstart job](http://askubuntu.com/a/230908/48872) – ciastek Apr 09 '15 at 09:42