Yes - we've done things like make SHUTDOWN a class Z command only - and force the operator to issue SET PRIV * +Z to shutdown, as you suggest. Also the SHUTDOWN EXEC approach which is fine unless they are really VM experienced and type #CP SHUTDOWN out of sheer habit (as I've done thinking I'm on a 2nd level system, horrified to realize the system name in the right bottom corner was the 1st level system).
The CP class trick is probably the best way to at least 'pause' you for a second .. but I can see myself just as blindly doing a: #cp set priv * +z#cp shutdown thinking I know what I'm doing.. Caution with the command SHUTDOWN is the only safe bet in the end if it must be 'shutdown'. Scott Put SHUTDOWN in its own privilege class, and have no one in that class by > default. Require a Class A user to add himself to that class before running > SHUTDOWN. > > This is more effort than I usually go to. I just put a SHUTDOWN EXEC on > MAINT and OPERATOR's 191-disks (my OPERATOR runs CMS). > > /* Shutdown ? */ > say "No." > > > Adam >
