It is sometimes useful to allow non-admin users to
execute commands that normally require the use of sudo for example to reload nginx or to
execute specific systemctl command. It is especially useful for CI/CD.
This is easily doable with visudo.
Start by adding a new sudoer file with
sudo visudo -f /etc/sudoers.d/<some-meaningful-name>
Note that the filename cannot contain dots or tilds.
Adding your file under /etc/sudoers.d/ ensures no bad surprise will arise
when your distribution will change the /etc/sudoers file due to system upgrades.
All files in /etc/sudoers.d/ are loaded by the last line of /etc/sudoers
(which is not a comment btw):
#includedir /etc/sudoers.d
Let's say you want the user web to be able to reload nginx config
Cmnd_Alias RELOADNGINX = /bin/systemctl reload nginx
web ALL=(ALL) NOPASSWD: RELOADNGINX
The same can be done for a group by prepending the group
name with a % for example
%webgroup ALL=(ALL) NOPASSWD: RELOADNGINX
Also multiple commands can be added by separating them with a comma, here user web would be able to stop and start nginx.
Cmnd_Alias RESTART = /bin/systemctl stop nginx,/bin/systemctl start nginx
To check what has been added is valid, run sudo visudo --check.
Once saved and written, user web will be able to execute
the command sudo systemctl restart nginx without any password.
For more on visudo, see man visudo and the following blogposts: