It is sometimes useful to allow non-admin users to
execute commands that normally require the use of
sudo for example to reload nginx or to
systemctl command. It is especially useful for CI/CD.
This is easily doable with
Start by adding a new sudoer file with
sudo visudo -f /etc/sudoers.d/<some-meaningful-name>
Note that the filename cannot contain dots or tilds.
Adding your file under
/etc/sudoers.d/ ensures no bad surprise will arise
when your distribution will change the
/etc/sudoers file due to system upgrades.
All files in
/etc/sudoers.d/ are loaded by the last line of
(which is not a comment btw):
Let's say you want the user web to be able to reload nginx config
Cmnd_Alias RELOADNGINX = /bin/systemctl reload nginx web ALL=(ALL) NOPASSWD: RELOADNGINX
The same can be done for a group by prepending the group
name with a
% for example
%webgroup ALL=(ALL) NOPASSWD: RELOADNGINX
Also multiple commands can be added by separating them with a comma, here user web would be able to stop and start nginx.
Cmnd_Alias RESTART = /bin/systemctl stop nginx,/bin/systemctl start nginx
To check what has been added is valid, run
sudo visudo --check.
Once saved and written, user web will be able to execute
sudo systemctl restart nginx without any password.
For more on visudo, see man visudo and the following blogposts: