Re: Proposal of new group
In article <cistron.19991013194951.H217@tavaiah>,
=?iso-8859-1?Q?Tomasz_W=EAgrzanowski?= <maniek@beer.com> wrote:
>I suggest a new group `power'
>and setting privileges of shutdown and halt (reboot is symlink to halt) to:
>-rwsr-xr-- 1 root power 6876 Jan 12 1999 /sbin/halt
>-rwsr-xr-- 1 root power 13492 Jan 12 1999 /sbin/shutdown
>(chmod u+s)(chmod o-x)(chown root.power)
Really, you are not supposed to call 'halt' or 'reboot' directly -
that's just a BSD heritage that people can't seem to get rid of.
But if you insist on it, halt or reboot don't need to be setuid root,
since they call shutdown anyway if they think that is what you meant.
>This group would be very useful for desktop machines for people who
>set computer on (via switch), login as common user and do what they have to
>and then stop the computer via command (`halt' or `shutdown -h now')
>or via it's interface gshutdown. Now this problem is lacally solved inelegantly
>by sudo or by special root account called ex: halt (shell=/sbin/halt) or
>by even less secure methods because of lack of the standard.
Note that 'shutdown' was NOT designed to be run setuid - for all
I know it's full of grave security holes if you do. You then not
only gave the people in the group 'power' permission to shut down
the machine, you just granted them root access as well ...
Mike.
--
First things first, but not necessarily in that order.
Reply to: