Ubuntu – Allow non-sudo group to control Upstart job


I'm trying to set up an Upstart job to run on system startup, and that can also be started/stopped by members of a group other than sudo. With a previous version, I usedupdate-rc.d and scripts stored in /etc/init.d/ to get this working by adding %Group ALL = NOPASSWD: /etc/init.d/scriptname to my sudoers file, but I can't seem to get an equivalent working for Upstart.

I tried adding %Group ALL = NOPASSWD: /sbin/initctl start jobname to the sudoers file, but trying to run the command start jobname produces this error:

start: Rejected send message, 1 matched rules; type="method_call", sender=":1.21" (uid=1000 pid=5148 comm="start jobname " interface="com.ubuntu.Upstart0_6.Job" member="Start" error name="(unset)" requested_reply="0" destination="com.ubuntu.Upstart" (uid=0 pid=1 comm="/sbin/init")

As near as I can tell, that's a complaint about how my user account isn't given the power to send 'Start' messages in the D-Bus config file for Upstart. I haven't been able to actually find any information on how to edit that file to give a group permission to access a specific service–does such an option exist? Is there a way to edit the Sudoers file so I can run the job without editing the config file? Am I better off just sticking with the previous version?

Best Answer

  • You can start with finding out where the D-Bus configuration specific for Upstart is kept. See that destination="com.ubuntu.Upstart" snippet from the error message? Now try to grep it in the folder with D-Bus config files:

    vhost07:~ $ grep -r "com.ubuntu.Upstart" /etc/dbus-1
    /etc/dbus-1/system.d/Upstart.conf:    <allow own="com.ubuntu.Upstart" />

    That Upstart.conf file has some examples of policies. I guess you could try to figure out the format of a policy from them. Then try to allow your specific user just the actions that it needs. For instance, as in:

    <policy user="pope_benedict">
      <allow send_destination="com.ubuntu.Upstart"

    This should permit the pope_benedict user to start that job.

    Note that the values for the 'allow' policy attributes are listed in your original error message.

  • Related Question