Allow non-sudo group to control Upstart job

I'm trying to set up an Upstart job to run on system startup, and that can also be started/stopped by members of a group other than sudo. With a previous version, I usedupdate-rc.d and scripts stored in /etc/init.d/ to get this working by adding %Group ALL = NOPASSWD: /etc/init.d/scriptname to my sudoers file, but I can't seem to get an equivalent working for Upstart.

I tried adding %Group ALL = NOPASSWD: /sbin/initctl start jobname to the sudoers file, but trying to run the command start jobname produces this error:

start: Rejected send message, 1 matched rules; type="method_call", sender=":1.21" (uid=1000 pid=5148 comm="start jobname " interface="com.ubuntu.Upstart0_6.Job" member="Start" error name="(unset)" requested_reply="0" destination="com.ubuntu.Upstart" (uid=0 pid=1 comm="/sbin/init")

As near as I can tell, that's a complaint about how my user account isn't given the power to send 'Start' messages in the D-Bus config file for Upstart. I haven't been able to actually find any information on how to edit that file to give a group permission to access a specific service--does such an option exist? Is there a way to edit the Sudoers file so I can run the job without editing the config file? Am I better off just sticking with the previous version?


You can start with finding out where the D-Bus configuration specific for Upstart is kept. See that destination="com.ubuntu.Upstart" snippet from the error message? Now try to grep it in the folder with D-Bus config files:

vhost07:~ $ grep -r "com.ubuntu.Upstart" /etc/dbus-1
/etc/dbus-1/system.d/Upstart.conf:    <allow own="com.ubuntu.Upstart" />
[...skipped...]

That Upstart.conf file has some examples of policies. I guess you could try to figure out the format of a policy from them. Then try to allow your specific user just the actions that it needs. For instance, as in:

<policy user="pope_benedict">
  <allow send_destination="com.ubuntu.Upstart"
         send_interface="com.ubuntu.Upstart0_6.Job"
         send_member="Start"/>
</policy>

This should permit the pope_benedict user to start that job.

Note that the values for the 'allow' policy attributes are listed in your original error message.


I'm personally using the following line in /etc/sudoers.d/jobname_myuser file:

myuser ALL = (root) NOPASSWD: /sbin/start jobname, /sbin/stop jobname, /sbin/restart jobname, /sbin/status jobname

as described here: https://serverfault.com/a/390723/68608


Such option does not exist in sudo.

The difference between Sysv scripts and Upstart configuration files is just that: Sysv scripts are scripts, executables in their own right and you can tell sudo to allow some group to execute them. In the other hand, Upstart configuration files are merely just configuration files, not executables, so the execution of start (symlink to initctl) is the thing sudo allows. Your issue here is that allowing people to run initctl you allow them to initctl everything.

Solution is though simple if your concern in merely a single job. Make a script, say /usr/bin/jobname.sh with

#!/bin/sh
initctl $1 jobname

then chmod 755 /usr/bin/jobname.sh and finally add that executable to your sudoers file:

%Group ALL = NOPASSWD: /usr/bin/jobname.sh

This way, everyone can call jobname.sh start or jobname.sh stop to control this specific job. You might want to add some checking to allow only start and stop parameters etc.