24

Background: I have a development machine with LAMP setup. Several developers would access the machine from time to time. Every time they make some change in a configuration file they will need to restart the apache server using sudo service apache restart or sudo /etc/init.d/apache2 restart

The Question:

What I want now is that every developer who accesses the machine does not have a sudo access to everything. Rather, he/she should only be able to run the service command using sudo and nothing else. Is it possible to do that?

Ankit
  • 1,131
  • 2
  • 12
  • 25

1 Answers1

38

Yes.

Make a new group, web (call it what you wish)

sudo addgroup web

Add your developer(s) to the web group (use their login name).

sudo adduser your_developer_user web

Then run sudo visudo -f /etc/sudoers.d/somefile (use a meaningful name instead of somefile).

Add in a line (use the full path of the command):

%web ALL=(ALL) /usr/bin/service apache2 *

The developers can then run 

sudo service apache

using their login password.

Do NOT add your admin user to the web group.

See man sudoers for additional information

muru
  • 197,895
  • 55
  • 485
  • 740
Panther
  • 102,067
  • 1
    @Ankit: that way the users of web group can start/stop any service, and this is not what you want, I think. The solution should be to put the exact command (also with parameters) in /etc/sudoers. – enzotib Dec 27 '11 at 10:23
  • @enzotib can i do that to i mean so the new command would be /usr/bin/service apache2 is it? – Ankit Dec 27 '11 at 12:08
  • 3
    @Ankit: /usr/bin/service apache2 * – enzotib Dec 27 '11 at 13:10
  • This should also probably be /usr/sbin/service – Erfan May 26 '16 at 13:19