Linux – How to allow a normal user to restart a supervisor group without password

debianlinuxsudosupervisord

I am trying to allow a user in the group deployer to restart a supervisor group without a password; this is the content of my /etc/sudoers.d/deploy:

%deployer ALL=(ALL:ALL) NOPASSWD:/usr/sbin/service nginx stop,/usr/sbin/service nginx start,/usr/bin/supervisorctl stop gname\:*,/usr/bin/supervisorctl start gname\:*

This is suppose to allow a user in the group deployer to restart nginx and the supervisor group gname. It works for nginx, but not for supervisor.

I have tried multiple combinations:

/usr/bin/supervisorctl stop gname,/usr/bin/supervisorctl start gname
/usr/bin/supervisorctl stop gname*,/usr/bin/supervisorctl start gname*
/usr/bin/supervisorctl stop gname\:,/usr/bin/supervisorctl start gname\:
/usr/bin/supervisorctl stop gname\:\*,/usr/bin/supervisorctl start gname\:\*

But I can not make it work… Why doesn't this work?

Debian GNU/Linux 8
Linux version 4.5.5-x86_64
Supervisor version 3.0

Best Answer

This looks like it may be due to the spaces in the commands you are allowing e.g. supervisorctl stop gname etc.

While I am unable to test at the minute, first I would try escaping the spaces e.g.

%deployer ALL=(ALL:ALL) NOPASSWD:/usr/sbin/service\ nginx\ stop,/usr/sbin/service\ nginx\ start,/usr/bin/supervisorctl\ stop\ gname\:*,/usr/bin/supervisorctl\ start\ gname\:*

If that fails you could put the commands into a script called supercontrol.sh with different cmd options for the different commands and specify NOPASSWD on just that script.

%deployer ALL=(ALL:ALL) NOPASSWD:/path/to/supercontrol.sh

Hope this helps.

Related Solutions

Linux – How to run a server on port 80 as a normal user on Linux

Short answer: you can't. Ports below 1024 can be opened only by root. As per comment - well, you can, using CAP_NET_BIND_SERVICE, but that approach, applied to java bin will make any java program to be run with this setting, which is undesirable, if not a security risk.

The long answer: you can redirect connections on port 80 to some other port you can open as normal user.

Run as root:

# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

As loopback devices (like localhost) do not use the prerouting rules, if you need to use localhost, etc., add this rule as well (thanks @Francesco):

# iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 80 -j REDIRECT --to-ports 8080

NOTE: The above solution is not well suited for multi-user systems, as any user can open port 8080 (or any other high port you decide to use), thus intercepting the traffic. (Credits to CesarB).

EDIT: as per comment question - to delete the above rule:

# iptables -t nat --line-numbers -n -L

This will output something like:

Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:8080 redir ports 8088
2    REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 redir ports 8080

The rule you are interested in is nr. 2, so to delete it:

# iptables -t nat -D PREROUTING 2

Linux – Allow all users of a group to start and stop zope using supervisorctl

Take a look at unix-http-server section. Change your configuration file as belows:

[unix_http_server]
file=/tmp/supervisor.sock   ; (the path to the socket file)
chmod=0770                  ; sockef file mode (default 0700)
chown=zope:zoperun          ; socket file uid:gid owner
;username=user              ; (default is no username (open server))
;password=123               ; (default is no password (open server))

This make the socket file can be read, write by users in zoperun group:

ll /tmp/supervisor.sock 
srwxrwx--- 1 zope zoperun 0 Sep 30 16:54 /tmp/supervisor.sock

Finally, add all users you want to allow start/stop Zope instance into zoperun group and testing with normal user, you will see something like this:

$ supervisorctl status
foo                              STARTING

Best Answer

Related Solutions

Linux – How to run a server on port 80 as a normal user on Linux

Linux – Allow all users of a group to start and stop zope using supervisorctl

Related Topic