Non-privileged, non-root, user to start or restart webserver server such as nginx without root or sudo

Question

I\'m using capistrano to deploy a rails web app. I want to give the deploy user on the webserver as few privileges as I can. I was able to do everything I need to do as a non-pr

Answer 1

The best practice is to use /etc/sudoers.d/myuser

The /etc/sudoers.d/ folder can contain multiple files that allow users to call stuff using sudo without being root.

The file usually contains a user and a list of commands that the user can run without having to specify a password. Such as

sudo service nginx restart

Note that we are running the command using sudo. Without the sudo the sudoers.d/myuser file will never be used.

An example of such a file is

myuser ALL=(ALL) NOPASSWD: /usr/sbin/service nginx start,/usr/sbin/service nginx stop,/usr/sbin/service nginx restart

This will allow the myuser user to call all start, stop and restart for the nginx service.

You could add another line with another service or continue to append them to the comma separated list, for more items to control.

Also make shure you have run the command below to secure things

chmod 0440 /etc/sudoers.d/myuser

This is also the way I start and stop services my own created upstart scripts that live in /etc/init It can be worth checking that out if you want to be able to run your own services easily.

Instructions:

In all commands, replace myuser with the name of your user that you want to use to start, restart, and stop nginx without sudo.

1. Open sudoers file for your user:

   $ sudo visudo -f /etc/sudoers.d/myuser
   

2. Editor will open. There you paste the following line:

   $ myusername ALL=(ALL) NOPASSWD: /usr/sbin/service nginx start,/usr/sbin/service nginx stop,/usr/sbin/service nginx restart
   

3. Save by hitting ctrl+o. It will ask where you want to save, simply press enter to confirm the default. Then exit out of the editor with ctrl+x.