I have a systemd.socket named gunicorn.socket which I would like to restart after updating some code on a remote server.
I've followed the steps detailed in Allowing a non-root user to restart a service and systemctl
keeps asking for my user password. Here is what I've done trying to run systemctl restart gunicorn.socket
with user john
:
# added an appadmin group to allow the restart command to john
addgroup appadmin
usermod -a -G appadmin john
visudo
In sudoers
:
Cmnd_Alias MYAPP_CMNDS = /bin/systemctl start gunicorn.socket, /bin/systemctl stop gunicorn.socket, /bin/systemctl restart gunicorn.socket
%appadmin ALL=(ALL) NOPASSWD: MYAPP_CMNDS
Then sudo systemctl restart gunicorn.socket
works fine while being on the server, but when I try it remotely I get:
ssh example.com "sudo systemctl restart gunicorn.socket"
Failed to restart gunicorn.socket: Interactive authentication required.
See system logs and 'systemctl status gunicorn.socket' for details.
Any ideas? I'm using Ubuntu 17.04.
Update: adding full content of /etc/sudoers
:
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
# Cmnd alias specification
Cmnd_Alias MYAPP_CMNDS = /bin/systemctl start gunicorn.socket, /bin/systemctl stop gunicorn.socket, /bin/systemctl restart gunicorn.socket
%appadmin ALL=(ALL) NOPASSWD: MYAPP_CMNDS
# User privilege specification
root ALL=(ALL:ALL) ALL
john ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
Make sure the 'requiretty' option is not set in /etc/sudoers.
See this question for more information: https://unix.stackexchange.com/questions/79960/how-to-disable-requiretty-for-a-single-command-in-sudoers
You might want to move the block:
# Cmnd alias specification Cmnd_Alias MYAPP_CMNDS = /bin/systemctl start gunicorn.socket, /bin/systemctl stop gunicorn.socket, /bin/systemctl restart gunicorn.socket %appadmin ALL=(ALL) NOPASSWD: MYAPP_CMNDS
to the end of the file. The order of permission blocks in
/etc/sudoers
is not trivial. From thesudoers
man page, thanks to @enzotib: