Re: Problem with '/etc/shutdown.allow'
Ethan Benson wrote:
>
> [...]
> normally anyone whether anyone is logged into the console or not can
> press control alt delete and reboot the system (if you have that line
> in inittab) adding shutdown.allow changes this so that
> control-alt-delete only works when a listed user is logged into any of
> the console ttys. if none are logged in then control-alt-delete is
> disabled.
> [...]
Ah, I see: 'shutdown.allow' is used for making rebooting more
restrictive - I thought I could use it for enabling mere mortals to
execute the halting of the system.
> > Now when I type 'shutdown -a -h now' it still tells me, I have to be
> > root. It looks like I have to set a SUID-flag. But I would prefer a
> > better solution. Otherwise: What would 'shutdown.allow' be good for?
>
> you could do two different things:
>
> add a group `shutdown' and add any authorised users to this group and
> do a chgrp shutdown /sbin/shutdown && chmod 4754 /sbin/shutdown. or
> use sudo.
>
> i highly reccomend sudo over making shutdown suid. making shutdown
> suid allows users in that group to call shutdown with whatever
> arguments they want, which is not a good thing.
>
> with sudo you can give specific users the ability to run ONLY
> "shutdown -h now" with only those exact arguments and no other.
>
> then you would run instead:
>
> sudo shutdown -h now
>
> here is the relevant lines to put in /etc/sudoers (use visudo):
>
> Cmnd_Alias SHUTDOWN=/sbin/shutdown -h now
> Cmnd_Alias REBOOT=/sbin/shutdown -r now
>
> username hostname=SHUTDOWN,REBOOT
>
> or if you don't want the user password to be required:
>
> username hostname=NOPASSWD: SHUTDOWN,REBOOT
Thank you very much, Mr. Benson - 'sudo' works just fine.
> just be sure to use visudo to edit sudoers it will check your syntax
> properly. if you don't like the editor it runs (probably vi) then
> export EDITOR=whatever
I am definitely a vi fan and I had no problems with editing 'sudoers'.
Best regards,
Andreas.
Reply to: