RE: shutdown priviledge, unprivileged shutdown -- solution

["Werner, Roger NAVAIR" <roger werner navy mil>]

Title: shutdown priviledge

Short version: use "halt" from the console.

 

Eric Wood, at linuxconf, suggested:

RE: shutdown priviledgeHave a look at:

http://www.redhat.com/docs/manuals/linux/RHL-7-Manual/ref-guide/s1-sysadmin-console-access.html

This file seemed to imply that shutdown priviledge is already automatically granted to anyone who logs in at the console.  This was not the case on my system.  However, the article was helpful, in that it described how to grant similar power to non-root console users to run other utilities, and it mentioned two other commands, "reboot" and "halt" which were also enabled for console logins.  I found that "halt" already did what I wanted to do with "shutdown" (enable a non-privileged user to shutdown the system from the console), so it was no longer necessary for me to pursue shutdown.  However, I presume that if I had followed the instructions in this article I could have configured shutdown like halt and reboot (it wasn't that way by default on my 7.2 system).  The relevant section:

Enabling Console Access for Other Applications

If you wish to make other applications besides shutdown, reboot, and halt accessible to console users, you will have to do just a little bit more work.

First of all, console access only works for applications which reside in /sbin or /usr/sbin, so the application that you wish to run must be there.

Create a link from the name of your application to the /usr/bin/consolehelper application:

cd /usr/bin
ln -s consolehelper foo
	

Create the file /etc/security/console.apps/foo:

touch /etc/security/console.apps/foo
	

Create a PAM configuration file for the foo service in /etc/pam.d/. We suggest that you start with a copy of the shutdown [halt] service, then change it if you want to change the behavior:

cp /etc/pam.d/shutdown /etc/pam.d/foo
	

Now, when you run /usr/bin/foo, it will call consolehelper, which, with the help of /usr/sbin/userhelper will authenticate the user (asking for the user's password if /etc/pam.d/foo is a copy of /etc/pam.d/shutdown; otherwise, it will do precisely what is specified in /etc/pam.d/foo) and then run /usr/sbin/foo with root permissions.

 

Other suggestions, which I tried, and which didn't work for me included:

I looked at man shutdown, checked and found no shutdown.allow file (I would have expected that if this was a key ingredient, linuxconf would have written it).  I created a shutdown.allow file and added my user account name to it, and saw no apparent difference - even after booting.

 

I also added -a to the shutdown line for CTL-ALT-DEL in /etc/inittab, and saw no apparent difference - even after rebooting.

 

I checked /var/log/messages and found the following lines containing "shutdown":

Oct 28 09:17:18 <hostname> atd: atd shutdown succeeded

Oct 28 09:17:18 <hostname> xfs: xfs shutdown succeeded

Oct 28 09:17:18 <hostname> gpm: gpm shutdown succeeded

Oct 28 09:17:18 <hostname> iscsi: iscsilun shutdown failed

Oct 28 09:17:19 <hostname> xinetd: xinetd shutdown succeeded

Oct 28 09:17:19 <hostname> crond: crond shutdown succeeded

Oct 28 09:17:19 <hostname> nfslock: rpc.statd shutdown succeeded

Oct 28 09:17:19 <hostname> portmap: portmap shutdown succeeded

Oct 28 09:17:20 <hostname> syslog: klogd shutdown succeeded

(I believe the successes refer to shutdowns from root.  The shutdowns from the user account still don't work.

I'm not sure what the iscsi error is,  but I do have a scsi hd, and I used to have 2 of them in the system -- probably had 2 when the linux was installed.)

 

 

I posted the query below to linuxconf, and Jacques replied:

Privileges in linuxconf are linuxconf privilege. may shutdown applies to

the shutdown menu in "control/control panel" menu

You can also reach this functionality from the command line

linuxconf --shutdown

This pops a dialog allowing the user to select shutdown or reboot and the delay.

    [ $ linuxconf --shutdown          # did not work on my RH 7.2 system.]

 

 

 

I would also like to apologize for suggesting that the problem also existed with RH Linux 6.x and 7.x systems.  I was going on my human memory.  I have since tried shutting down from an unpriviledged account on a 7.0 system and it worked without complaint.  I have not had opportunity to try a 6.x system lately, so I'm not sure what they do.  My 5.2 system does not have the problem.

 

Thanks to all for all their help, thoughts, and suggestions.

 

roger werner

 

 -----Original Message-----
From: Werner, Roger NAVAIR
Sent: Friday, October 25, 2002 15:11
To: Linuxconf Mailing List
Subject: [linuxconf] shutdown priviledge

I cannot configure several of my RedHat linux 7.x systems to allow an unpriviledged account to shutdown the system.  (I trust my users enough to know when to and not to shutdown the system and not abuse the priviledge, but I don't trust them enough to give out the root password for simply shutting down.)

I have clicked "May Shutdown" for the account under the Priviledges tab of linuxconf-Config(tab)-users-normal-UserAccounts, and it seems to have no effect. When I try to shutdown -h now or init 0 or even /sbin/shutdown -h now, I get an error.

(From console, unpriv account but "May Shutdown"'d in linuxconf):
$ shutdown -h now
shutdown: must be root.
$ init 0
init: must be superuser.
>       CTL-ATL-DEL works for user accounts on my RH Linux 5.2
>installations, but not for 7.0, or 7.2 systems.  (I'm not sure what 6.x does.)
When one does CTL-ALT-DEL (from the console) in the GNU window manager, the system appears to do nothing. When you do it in a terminal window, it beeps.

What else do I have to do to enable a user to shutdown linux?
I have tried writing a program:
#include <stdlib.h>
main(){ system("init 0");}
copiled it, set owner and group for the executable to root; chmod 4555 and +s on the executiable, and it still won't run for an unpriviledged user.

Keith Mastin, from enigma-list redhat com, suggested someone here might have the answer for me.
roger werner navy mil