It is possible to let httpd (or any other user) be able to issue a specific command or run any specific service as any other (system)user without actually having sudo privileges.
In this case, assume apache runs with the www-data account:
In order to do this on Ubuntu do the following:
$ sudo vi /etc/sudoers.d/www-data
www-data ALL=(ALL) NOPASSWD: /usr/bin/crontab, NOPASSWD: /usr/bin/whoami, NOPASSWD: /bin/bash /home/steam/webstart.sh [[\:alpha\:]]*
Explanation:
What this does is create a file named www-data in the /etc/sudoers.d location.
The file says that the www-data user is allowed, and ONLY allowed, to run "/usr/bin/crontab", "/usr/bin/whoami" and "/bin/bash /home/steam/webstart.sh" with sudo.
This means, that www-data can sudo start webstart.sh, which contains a script that in turn will start a service. This will run under the "steam" user account, and you don't need to give root privileges to the service.
-rwxrwxr-x 1 steam steam 123 Feb 15 14:52 webstart.sh
Note:
[[\:alpha\:]]* means that the webstart.sh command can be followed by any alphabetical letter, so you can pass arguments to the script. Without this, www-data would not even be allowed to run "/bin/bash /home/steam/webstart.sh a" as this is NOT what was specified. The sudoers is VERY strict and literal. If you want, you can specify exactly which command is allowed. If multiple commands are specifically allowed, you must add multiple statements seperated by comma's: NOPASSWD: /bin/bash /home/steam/webstart.sh start, NOPASSWD: /bin/bash /home/steam/webstart.sh stop, NOPASSWD: /bin/bash /home/steam/webstart.sh restart
Warning: Make sure NOT to add NOPASSWD: /bin/bash [[\:alpha\:]]* without specifying a command or script before the regex, as this would allow www-data to run /bin/bash followed by ANY command, obviously.
PS: It is not necesarry to actually name the file www-data, but I like to make a separate file for each user which I grant special privileges instead of combining them all into one.