[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: /etc/shutdown.allow is not recognized by shutdown -a ?

Hello Sven,

On Wednesday, September 26, 2001 at 5:22:03 PM, 
you wrote (at least in part):

>> my poor and quick testing showed me it could be possible to combine 'fakeroot'
>> and 'shutdown'. Beside this I _know_ 'sudo' in combination with 'shutdown' does
>> work.

> Are you sure, i have not installed sudo here, but giving the user the right
> rights in sudoers, will make it possible for you to use sudo and shutdown in
> combination, i have added a gnome panel launcher with "sudo shutdown -h now"
> as command to stop the box, and it worked, i would prefer to have it working
> from the logout dialog, as it works for root.

I'd also not prefer running it from panel because it may cause a lost of data
if the gnome session get ended by a shutdown :-)
But I'm quite sure "sudo shutdown" works. In that combination you can avoid
the '-a' as root _is allowed_ to shutdown nevertheless, regardless if he 's in
'/etc/shutdown.allow' and 'sudo' _makes_ this command running with UID=0 .-)

>> I don't know if 'fakeroot' or 'sudo' even would help wiht this issue, as i
>> don't know if 'gnome logged in' count's the same as 'tty logged in'. I do know
>> 'ssh logged in' doesn't!
>> As you want using automated login which opens _possible_ security holes (or
>> toches security issues) I'd not use 'shutdown -a' for logout but only
>> 'fakeroot/sudo shutdown' ... If I switch on the machine and am logged in, the
>> check with '-a' if a valid /shutdown-allowed user is logged in is obsolete :-)

> It is only a security risk if someone has phisical acces to the box, isn't it

it is.

> ? Since the user was previously running windows 98, this should not be a real
> problem, but in the contrary, i think it is a good thing, since it lessens the
> barrier to entry. Are there other issues i should know about ?

I did not mentioned other issues, but what I intended to say was:
shutdown -a checks if a valid/allowed user shuts down the machine.
automated login plus allowing the user that becomes logged in automatically to
shut down the machine makes the '-a' check obsolete. If the allowed user is
loggin in automatically the '-a' check virtually can't fail :-)

> Saddly, the gdm halt from the system menu is no more available with automatic
> login, letting no easy way to switch off the box available, thus my
> investigation in the gnome logout dialog, and the shutdown questions.

it is.

I don't know if default in /etc/inittab is with or without '-a' (as I don'T
remember if I changed it *G*) but there are two possibilities:

a line like this in /etc/inittab:

ca:12345:ctrlaltdel:/sbin/shutdown -t1 -h now

and the user can logout from gdm and finally press <Ctrl>+<Alt>+<Del> and the
machine should halt. (-h)

This way:

ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -h now

He has to be in /etc/shutdown.allow and press "<Ctrl>+<Alt>+F1", login with
his/her normal login, and than user <Ctrl>+<Alt>+<Del> to shutdown the
machine. No problem too.
If you care 'bout him/her not understanding the act of 'Login' on console take
the first line without '-a' and don't care about /etc/shutdown.allow.

HTH
-- 
Best regards
 Peter
Reply to: