Re: shutdown user and accountability
Can't you give a group sudo access? If so, just add everyone to a group
and give that group sudo /sbin/halt or sudo /sbin/shutdown or both.
Or you could write your own script which wraps around halt/shutdown and
logs what it's doing via logger or syslog...
On Tue, 2001-11-27 at 17:51, Olaf Meeuwissen wrote:
> Dear .debs,
>
> I'm maintaining a (small-time) group server for our department. In
> order to satisfy company policy requirements I need to provide a way
> to shutdown the server in case of emergencies. Our network admin was
> kind enough to give me two alternatives:
>
> 1) provide an on-screen shutdown button
> 2) provide a shutdown user account (and document its usage)
>
> I didn't like either approach because they lack accountability: after
> a shutdown I can't tell *who* did it.
> BTW, the server has no screen for buttons, so 1) is not an option to
> begin with. You have to ssh in to do anything (exploit one of inetd,
> exim, samba or apache in some way may be an alternative ;-).
>
> I came up with a 'sudo /sbin/halt' for department members (and others
> on an as needed basis), but that was no good. Everyone has to be able
> to shut it down. I racked my brains but didn't come up with anything
> that provides accountability. Anyone any suggestions?
>
> Right now, I'm stuck with 2) and writing the password on the machine
> (or similar) *or* stay with what I have now and take my chances with
> people flicking the power switch.
> BTW, the server is not in a physically secure location, so I run the
> power switch thingy risk anyway.
>
> Suggestions, discussions of pros and cons welcome,
> --
> Olaf Meeuwissen Epson Kowa Corporation, Research and Development
> GnuPG key: 6BE37D90/AB6B 0D1F 99E7 1BF5 EB97 976A 16C7 F27D 6BE3 7D90
> LPIC-2 -- I hack, therefore I am -- BOFH
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
--
Blake Barnett (bdb) <blake.barnett@developonline.com>
Sr. Unix Administrator
DevelopOnline.com office: 480-377-6816
"Do, or do not. There is no try." --Yoda
Reply to: