I have a task to give to a second developer the ability to restart gunicorn service, without giving him access to whole virtual machine, he is able to upload his projects files via ftp in his projects directory, but he can't restart gunicorn himself.

my "script.sh" is:

sudo service gunicorn restart

i can execute script.sh myself in terminal with this command, it works fine:
./script.sh

How can i execute this script remotely? Maybe via url? Or maybe if there any other better ways to complete this task, please share

Thank you!

CodePudding user response：

I like two of your ideas most, one is writing a service that detect uploaded files in specific directory

Basically a script:

inotifywait /the/dir -m -e CREATE,CLOSE | while read -f action file; do 
      rm "$file"
      systemctl restart that_thing
done

with maybe some filtering on specific file names and/or password checking like the content of the filename has to be some password.

If you do not use Linux, instead of inotifywait you could just poll for the file existence, each second or so.

See man inotifywait, https://mywiki.wooledge.org/BashFAQ/001 https://mywiki.wooledge.org/BashGuide . I doubt your server uses rc-scripts , it's 2021, consider moving to systemd. https://www.linode.com/docs/guides/introduction-to-systemctl/ https://www.shubhamdipt.com/blog/how-to-create-a-systemd-service-in-linux/ .

And second is to give to the developer access with which he could trigger only specific commands

Setup ssh server, give the developer an user account, install sudo and then create a file in /etc/sudoers.d/other_developer with the content:

otherdeveoperuseraccount ALL=(root) NOPASSWD: /usr/bin/systemctl restart that_service

Then the other developer will be able to run that specific command.

See man sudo and man sudoers and https://unix.stackexchange.com/questions/279125/allow-user-to-run-a-command-with-arguments-which-contains-spaces . Overall, as to how to setup ssh server and add user accounts, interest in some basic introduction to Linux computer administartion - surely there are endless online.

CodePudding user response：

One way:

1. Create a user with min-privileges. (unfortunately some shell privilege is req).
2. Override The ONLY command which forcibly runs on ssh for this user.

# 1. Create a user with shell = /bin/sh & no home-dir
sudo adduser limiteduser --shell=/bin/sh --no-create-home

# 2. Restrict further in sshd_config
nano /etc/ssh/sshd_config

## > Add the following at the end
Match user limiteduser
  ForceCommand /path/to/restart-script
  # ForceCommand ls    # Tried this for testing.

P.S: Some side effects include limiteduser having access to tunnel ports. Since the user already has FTP access; I am assuming that security requirements aren't super tight.

Another way - since FTP access is present.

• When the user is done with FTP upload, ask him to create a file at a location: /path/to/ftp/folder/request-restart.txt
• [Per-minute] Write a cron job which checks for this file & runs the restart script & deletes the file.
  • The inotify script in @kamilkuk 's answer is a finer real time version of this. with cron the max resolution is 1 minute.
• This can be extended to provide more request-some-other-command for the user.

# cron-watch-n-restart-script.sh
FILE="/path/to/ftp/folder/request-restart.txt"
if [[ -f "$FILE" ]]; then
    /path/to/restart-script.sh
    rm $FILE
fi

# Cron job entry (crontab -e): every minute
* * * * * /path/to/cron-watch-n-restart-script.sh