Unable to restart a systemctl service remotely as a non root user

Question

I have a systemd.socket named gunicorn.socket which I would like to restart after updating some code on a remote server.

I've followed the steps detailed in Allowing a non-root user to restart a service and systemctl keeps asking for my user password. Here is what I've done trying to run systemctl restart gunicorn.socket with user john:

# added an appadmin group to allow the restart command to john
addgroup appadmin
usermod -a -G appadmin john
visudo

In sudoers:

Cmnd_Alias MYAPP_CMNDS = /bin/systemctl start gunicorn.socket, /bin/systemctl stop gunicorn.socket, /bin/systemctl restart gunicorn.socket
%appadmin ALL=(ALL) NOPASSWD: MYAPP_CMNDS

Then sudo systemctl restart gunicorn.socket works fine while being on the server, but when I try it remotely I get:

ssh example.com "sudo systemctl restart gunicorn.socket"
Failed to restart gunicorn.socket: Interactive authentication required.
See system logs and 'systemctl status gunicorn.socket' for details.

Any ideas? I'm using Ubuntu 17.04.

Update: adding full content of /etc/sudoers:

Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"

# Cmnd alias specification
Cmnd_Alias MYAPP_CMNDS = /bin/systemctl start gunicorn.socket, /bin/systemctl stop gunicorn.socket, /bin/systemctl restart gunicorn.socket
%appadmin ALL=(ALL) NOPASSWD: MYAPP_CMNDS

# User privilege specification
root    ALL=(ALL:ALL) ALL
john        ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

score 0 · Answer 1 · answered Mar 06 '20 at 04:38

You might want to move the block:

# Cmnd alias specification Cmnd_Alias MYAPP_CMNDS = /bin/systemctl start gunicorn.socket, /bin/systemctl stop gunicorn.socket, /bin/systemctl restart gunicorn.socket %appadmin ALL=(ALL) NOPASSWD: MYAPP_CMNDS

to the end of the file. The order of permission blocks in /etc/sudoers is not trivial. From the sudoers man page, thanks to @enzotib:

When multiple entries match for a user, they are applied in order.
Where there are multiple matches, the last match is used (which is not
necessarily the most specific match).

score 0 · Answer 2 · answered Jul 23 '17 at 16:01

0

Make sure the 'requiretty' option is not set in /etc/sudoers.

See this question for more information: https://unix.stackexchange.com/questions/79960/how-to-disable-requiretty-for-a-single-command-in-sudoers

answered Jul 23 '17 at 16:01

unilynx

254
1
3

No `requiretty` present in `/etc/sudoers`. Also tried with `Defaults:john !requiretty` without luck. – marcanuy Jul 23 '17 at 16:13
Seems like a reasonable answer: why the downvote? – WestCoastProjects Nov 04 '19 at 21:24

Unable to restart a systemctl service remotely as a non root user

2 Answers2