[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Problem with '/etc/shutdown.allow'

Hai Andreas,

On Tue, Oct 17, 2000 at 07:13:55PM +0200, Andreas Hetzmannseder wrote:
> Carel Fellinger wrote:
> > shutdown isn't in your PATH, but even if it were it has no SUID flag so
> > it won't do you no good.
> You are absolutely right. Well I wouldn't believe it, so I had to see
> for myself: /sbin is now in my path but what's the point of it?

the point being...
> > > [...] However when I attempt to type 'shutdown -a -r now' or
> > > 'shutdown -a -h now' by myself, it says 'shutdown: command not found'.

...that the command will be found when typed from the command-line,
   but as I said that won't do you no good...

> > > I still have to be root in this case.

...as you still have to be root:]

You see, shutdown really needs root privilege, soit.
So either you use the suid trick on /sbin/shutdown (better not, and if not
then there is no need to have shutdown (/sbin) in your path either),
or signal some process running with root privilege to call shutdown for you.

The latter is what happens with Ctrl-Alt-Del, it triggers the keyboardhandler
to call shutdown. The keyboardhandler being a kernel process runs with root
privilege, so that works. But...

... there is more to this story if shutdown is called with the "-a" flag
and the file /etc/shutdown.allow exists. You see, in that case shutdown
*itself* will refuse to do its work if neither root nor one of the users
listed in /etc/shutdown.allow are actually logged-on on a virtual console.
An xterm or XDM log-on screen won't do, you really have to be logged-on.

But even if you're logged-on, "shutdown -a" still needs to be run with root
privilege (see above), so typing it from the command line will only work
if you're root or the suid bit is set.

> Thank you for your explanation.

Your welcome:), but I fear I've merely confused you with the inittab thing:(

> > Well, you shouldn't add the entry but modify the excisting one and add to
> > that entry the '-a' flag. [...]
> Now I feel completely stupid. Which existing entry shall I modify?
> Please have a look at my /etc/inittab:
>     ca:12345:ctraltdel:/sbin/shutdown -t1 -a -r now

the -a is already there, so the docs were misleading and I should have
looked up the contents of the default /etc/inittab file. Sorry.

groetjes, carel

Reply to: