Allowing a non-root user to restart a service

Question

Background :

I created an app called myapp with Spring-boot. It consists of a self-executable jar and is compatible with systemd services. Now, I am trying to integrate it with jenkins.

What I want:

I want jenkins to be able to :

• stop the service.
• replace the jar.
• restart the service.

Problem:

Up to now, only sudoers can start/stop services. I don't want jenkins to be a sudoer (it seems messy).

Current structure:

I have a user myapp which has a /home/myapp folder. The generated jar is called myapp and is placed at /home/myapp. The user myapp is the owner of the generated jar:

myapp@myserver:~/backend$ ll
total 53900
drwxrwxr-x 2 myapp myapp     4096 Apr 25 17:09 ./
drwxr-xr-x 6 myapp myapp     4096 Apr 25 17:08 ../
-rw-rw-r-- 1 myapp myapp      511 Apr 20 16:13 application.properties
-rwxr--r-- 1 myapp myapp 55175294 Apr 20 19:06 backend-1.0-SNAPSHOT.jar*
lrwxrwxrwx 1 myapp myapp       24 Apr 20 19:20 myapp -> backend-1.0-SNAPSHOT.jar*
-rw-r--r-- 1 myapp myapp      179 Apr 20 19:26 myapp.service

I placed a ssh key so that jenkins can log as myapp@myserver.

As myapp is the owner of the jar, I think that there might be an option that allows the user myapp to call systemctl start/stop myapp. Actually, I can call systemctl status myapp but not start/stop (root password is asked).

Any suggestions?

Answer 1

sudo is the way to go. Create a new group (appadmin for example), put your jenkins user in it, and using visudo add a new entry with a limited list of commands, for example:

Cmnd_Alias MYAPP_CMNDS = /bin/systemctl start myapp, /bin/systemctl stop myapp
%appadmin ALL=(ALL) MYAPP_CMNDS

If you want the appadmin group to be able to operate the service without entering a password first (useful if the user is only authenticated by an SSH key for example),

Cmnd_Alias MYAPP_CMNDS = /bin/systemctl start myapp, /bin/systemctl stop myapp
%appadmin ALL=(ALL) NOPASSWD: MYAPP_CMNDS