sudo user is not allowed to execute systemctl

Question

I'm trying to allow a user to use sudo to manage a custom systemctl service, this however seems to fail and I can't figure out why.

[root@testvm sudoers.d]# ll
total 16
-r--r-----. 1 root root 334 Oct  9 15:42 20_appgroup
-r--r-----. 1 root root 104 Sep 17 11:24 98_admins

The 'appgroup' contains this;

[root@testvm sudoers.d]# cat 20_appgroup
%appgroup    ALL= /usr/bin/systemctl restart test.service, 
/usr/bin/systemctl start test.service, /usr/bin/systemctl stop 
test.service, /usr/bin/systemctl status test.service

I have double checked that the user is member of the appgroup, however when this user runs sudo systemctl start test.service this results in an error saying;

Sorry, user tester is not allowed to execute '/usr/bin/systemctl start test' as root on testvm.

Any thought on what could be the issue?

Your sudo config says 'test.service' but you're starting 'springboot' - is that a typo or a bug? — match, Oct 17 '18 at 09:11
Additional things to check: is sudo configured to include files from suders.d? Is the user actually in that group (run `id` as the user)? — Gerald Schneider, Oct 17 '18 at 09:19
Your sudo config says `/usr/bin/systemctl start test.service` but your user ran `sudo /usr/bin/systemctl start test`. — Michael Hampton, Oct 17 '18 at 12:11
Also, see [here](https://serverfault.com/a/841150/126632) for a way to allow the user to manage a single service _without_ sudo by configuring PolicyKit. — Michael Hampton, Oct 17 '18 at 12:14

HBruijn · Accepted Answer · 2018-10-18T09:54:41.923

Debugging sudo issues:

run sudo -l as the user concerned to show which rights are assigned to that user.
ensure that those rights correspond to the commands you wish to allow,
commands allowed in your /etc/sudoers and /etc/sudoers.d/* configurations that don't include arguments will be allowed to run with any argument,
commands allowed that do include arguments in their specification, will only work with those exact arguments, nothing more and nothing less.
In case group based rights are missing, check with id <username> to get a listing of all groups a user belongs to.
If include files from /etc/sudoers.d/ don't get loaded:
- To include those snippets the main /etc/sudoers configuration file need to be configured to load those additional configuration sections with an #includedir /etc/sudoers.d directive.
  The leading pound # is not a comment but part of the directive.
- The files in /etc/sudoers.d/ should not have names that in end in ~ or contain a . character.
- The files in /etc/sudoers.d/ should should be mode 0440 and owned by root:root.

score -1 · Answer 2 · edited Jul 18 '21 at 22:52

-1

This is how it worked for me

tomcat        ALL=(ALL)       NOPASSWD:/bin/systemctl stop tomcat

edited Jul 18 '21 at 22:52

Michael Hampton

237,123
42
477
940

answered Jul 18 '21 at 05:08

user1672382

1

sudo user is not allowed to execute systemctl

2 Answers2