There are three different concepts mixed here.
First of all, you added the wrong commands: systemctl reboot
is not /sbin/reboot
! Despite the similarity, it is a separate /bin/systemctl
program that only happens to take the word 'reboot' as a command line parameter.
Second, /etc/sudoers only affects sudo. It does not automatically grant you privileges in any other way – all it does is permit you to sudo systemctl this or that
to run the command under someone else's account (and with their privileges).
When the command is run without sudo, it still has the same original privileges as before, regardless of what you have in /etc/sudoers.
The password prompt you might see when running systemctl without sudo is shown by polkit (previously known as PolicyKit). It is a separate system from sudo, and it works in terms of "actions" rather than commands. Unlike sudo, the permissions for a polkit action are directly checked by whatever is performing the action (you don't become root when entering the password; rather, polkit has "allowed", "allowed with password", and "allowed with admin password" as three different access levels).
So you need to decide between the two options:
If you want to use sudo and /etc/sudoers, then your webpage needs to run the command with sudo
prefixed.
If you want the command to work without sudo, then you need to write polkit rules instead of sudoers rules.
For polkit, you first need to determine the polkit action name associated with 'systemctl reboot' – it will show up in your logs (journalctl -f
) whenever you run the command, and it'll look like org.freedesktop.systemd.whatever
.
Afterwards, if you have polkit v106 or later, rules are defined in JavaScript like in these examples and as documented in man 8 polkit
. For example:
/etc/polkit-1/rules.d/allow-website-to-reboot.rules
polkit.addRule(function(action, subject) {
if (action.id == "org.systemd.foobar") {
if (subject.user == "www-data") {
return polkit.Result.YES;
}
// if (subject.isInGroup("wheel"))
// if (subject.system_unit == "apache2.service"))
}
});