I had hit the cannot run wp core snag and got some tips from @strarsis.
On fresh Ubuntu 20 droplet, now using php8.0 (wp/php depr. warnings on 8.1):
/etc/sudoers.d/web-services content is:
# Ansible managed
web ALL=(root) NOPASSWD: /usr/sbin/service.php8.0-fmp.*
Running sudo service php8.0-fpm reload as web user, still get prompted for a password.
Tried putting the permission config directly in the /etc/sudoers file. Same result.
The sudo log:
/var/log/auth.log
Aug 5 15:55:48 su: (to web) admin on pts/0
Aug 5 15:55:48 su: pam_unix(su:session): session opened for user web by admin(uid=0)
Aug 5 15:55:59 sudo: pam_unix(sudo:auth): conversation failed
Aug 5 15:55:59 sudo: pam_unix(sudo:auth): auth could not identify password for [web]
Aug 5 15:55:59 sudo: web : command not allowed ; TTY=pts/0 ; PWD=/home/admin ; USER=root ; COMMAND=/usr/sbin/service php8.0-fpm reload
As noted in the other thread, php permissions seem correct (or at least to match a working 7.4 server).
Not sure what my next move should be.
My understanding of password-less sudo:
I recently asked a friend/advisor the same thing and he said, “No, it’s not a massive security vuln.”, explaining to me that the sudo password is more to prevent the user from making a significant mistake in haste than for security. (Password-less sudo, being MORE secure than ssh connection that allows password access.) Since only ssh connections with keys on the computer can become the (in this case) admin user, it doesn’t make a significant difference in ability to access root. If someone can access my ssh private key, they can probably get the admin sudo password as well. That being said, there’s definitely something to the prevention of users from “making a significant mistake in haste”.