Re: Problem with '/etc/shutdown.allow'
Hai Andreas,
On Tue, Oct 17, 2000 at 07:13:55PM +0200, Andreas Hetzmannseder wrote:
> Carel Fellinger wrote:
...
> > shutdown isn't in your PATH, but even if it were it has no SUID flag so
> > it won't do you no good.
>
> You are absolutely right. Well I wouldn't believe it, so I had to see
> for myself: /sbin is now in my path but what's the point of it?
the point being...
> > > [...] However when I attempt to type 'shutdown -a -r now' or
> > > 'shutdown -a -h now' by myself, it says 'shutdown: command not found'.
...that the command will be found when typed from the command-line,
but as I said that won't do you no good...
> > > I still have to be root in this case.
...as you still have to be root:]
You see, shutdown really needs root privilege, soit.
So either you use the suid trick on /sbin/shutdown (better not, and if not
then there is no need to have shutdown (/sbin) in your path either),
or signal some process running with root privilege to call shutdown for you.
The latter is what happens with Ctrl-Alt-Del, it triggers the keyboardhandler
to call shutdown. The keyboardhandler being a kernel process runs with root
privilege, so that works. But...
... there is more to this story if shutdown is called with the "-a" flag
and the file /etc/shutdown.allow exists. You see, in that case shutdown
*itself* will refuse to do its work if neither root nor one of the users
listed in /etc/shutdown.allow are actually logged-on on a virtual console.
An xterm or XDM log-on screen won't do, you really have to be logged-on.
But even if you're logged-on, "shutdown -a" still needs to be run with root
privilege (see above), so typing it from the command line will only work
if you're root or the suid bit is set.
...
> Thank you for your explanation.
Your welcome:), but I fear I've merely confused you with the inittab thing:(
> > Well, you shouldn't add the entry but modify the excisting one and add to
> > that entry the '-a' flag. [...]
>
> Now I feel completely stupid. Which existing entry shall I modify?
> Please have a look at my /etc/inittab:
...
> ca:12345:ctraltdel:/sbin/shutdown -t1 -a -r now
the -a is already there, so the docs were misleading and I should have
looked up the contents of the default /etc/inittab file. Sorry.
--
groetjes, carel
Reply to: