Re: gshutdown

To: Robert Kerr <kerrr@et.byu.edu>
Cc: Debian Users <debian-user@lists.debian.org>
Subject: Re: gshutdown
From: Havoc Pennington <rhp@zirx.pair.com>
Date: Thu, 6 May 1999 19:08:05 -0400 (EDT)
Message-id: <[🔎] Pine.BSF.4.02A.9905061843270.27268-100000@zirx.pair.com>
In-reply-to: <[🔎] Pine.GHP.4.10.9905061222130.25574-100000@timoshenko.et.byu.edu>

On Thu, 6 May 1999, Robert Kerr wrote:
> I'm using gnome with enlightenment, and I'd like to add the gshutdown to
> my panel.  I've added it successfully, changed gshutdown to setuid root,

You should know that this is a *huge* security hole. You're welcome to
have such a hole if your system doesn't need to be secure of course, but
you should know you have it.

> only the superuser can shutdown the system.  I've changed /sbin/shutdown
> to setuid root also.  Can anyone shed some light?

Yeah, gshutdown checks to see if you're root and it shouldn't. I wrote
gshutdown, but someone else added this patch; I don't think it's correct.
I'll fix it upstream and it will be fixed in some future version. For now
you have to be root. If you file a bug against the Debian package, the
Debian maintainer may see fit to apply a Debian-specific patch in a
shorter timeframe.

In the future, the correct way to set it up will be to either have the
right to run /sbin/shutdown, or use a graphical su utility such as 'gsu'
(which exists but isn't in the default Gnome build due to security
concerns).  gshutdown really shouldn't be suid root.

Thanks for reminding me about this.

Havoc

Reply to:

References:
- gshutdown
  - From: Robert Kerr <kerrr@et.byu.edu>

Prev by Date: Re: Rescue disk's cfdisk reports HDD is corrupt
Next by Date: ZIP drive and kernel 2.2?
Previous by thread: gshutdown
Next by thread: RES: Estou preparando uma revista
Index(es):
- Date
- Thread