I have a minecraft server setup on my home server, and I want to allow any of my friends to be able to ssh in and start the server themselves. However, I don't necessarily want to give them sudo access.
Is there a way I can mark a particular service as being able to be started or stopped by anyone, or by members of a particular group?
Absolutely. While sudo is associated with running any command as root, it's a really a flexible system that allows fine-grained control of who has access to run what specific commands.
For example, you can create a group called minecraftstarters and add all your friends to it. Then you can a define a sudo rule which allows anyone in the minecraftstarters group to start or restart Minecraft, but not be able to use sudo for anything else.
Then in /etc/sudoers.d/minecraft, you would add syntax like this:
Cmnd_Alias MINECRAFT_CMDS = /bin/systemctl start minecraft, /bin/systemctl restart minecraft
%minecraftstarters ALL=(ALL) NOPASSWD: MINECRAFT_CMDS
Now you've defined some commands that the minecraftstarters group can run with sudo (and without requiring an additional password prompt).
Tip: Use visudo -f /etc/sudoers.d/minecraft to edit the file. It will check the syntax before it saves it, avoiding the unfortunate state where you break your sudo configuration, so sudo doesn't work at all.
