我有一个systemd.socket命名gunicorn.socket在远程服务器上更新一些代码后,我想重新启动它。
我已按照允许非 root 用户重启服务并systemctl不断询问我的用户密码。以下是我尝试systemctl restart gunicorn.socket使用用户运行的操作john:
# added an appadmin group to allow the restart command to john
addgroup appadmin
usermod -a -G appadmin john
visudo
在sudoers:
Cmnd_Alias MYAPP_CMNDS = /bin/systemctl start gunicorn.socket, /bin/systemctl stop gunicorn.socket, /bin/systemctl restart gunicorn.socket
%appadmin ALL=(ALL) NOPASSWD: MYAPP_CMNDS
然后sudo systemctl restart gunicorn.socket在服务器上工作正常,但是当我远程尝试时,我得到:
ssh example.com "sudo systemctl restart gunicorn.socket"
Failed to restart gunicorn.socket: Interactive authentication required.
See system logs and 'systemctl status gunicorn.socket' for details.
有什么想法吗?我正在使用 Ubuntu 17.04。
更新:添加完整内容/etc/sudoers:
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
# Cmnd alias specification
Cmnd_Alias MYAPP_CMNDS = /bin/systemctl start gunicorn.socket, /bin/systemctl stop gunicorn.socket, /bin/systemctl restart gunicorn.socket
%appadmin ALL=(ALL) NOPASSWD: MYAPP_CMNDS
# User privilege specification
root ALL=(ALL:ALL) ALL
john ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
答案1
确保 /etc/sudoers 中未设置“requiretty”选项。
请参阅此问题以了解更多信息:https://unix.stackexchange.com/questions/79960/how-to-disable-requiretty-for-a-single-command-in-sudoers
答案2
你可能想要移动这个块:
# Cmnd alias specification Cmnd_Alias MYAPP_CMNDS = /bin/systemctl start gunicorn.socket, /bin/systemctl stop gunicorn.socket, /bin/systemctl restart gunicorn.socket %appadmin ALL=(ALL) NOPASSWD: MYAPP_CMNDS
到文件末尾。权限块的顺序/etc/sudoers并不简单。从sudoers手册页,感谢@enzotib:
When multiple entries match for a user, they are applied in order.
Where there are multiple matches, the last match is used (which is not
necessarily the most specific match).