On Sun, 19 Mar 2000, Philip S Tellis wrote:
> Date: Sun, 19 Mar 2000 17:49:57 +0530
> From: Philip S Tellis <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED]
> Subject: Re: [ILUG-BOM] shutdown and halt
> Resent-Date: Sun, 19 Mar 2000 07:16:59 -0500
> Resent-From: [EMAIL PROTECTED]
>
> Devdas Bhagat wrote:
> >
> > Does consolehelper have permission to execute shutdown? consolehelper is
> > suid root, but I presume that it will look only in the current path for
> > the executable, and not outside it. (su does not change your current
> > path).
>
> Basically, for any program under /sbin, ie for /sbin/foo, there is a
> corresponding program called /usr/bin/foo that is executable by non root
> users. These files are executed through console-helper. console-helper
> will check for file /etc/pam.d/foo and only if it exists will allow user
> to
> execute foo. But I can bypass all this by just executing /sbin/foo
> regardless of who or where I am.
>
> > If you want to shutdown the physical console (as different from
> > terminal), then you need to be root. Else, the user should be able to
> > shutdown. (I have no network experience, but this may be a possibility).
>
> That's my problem. If someone telnets into my system and executes
> /sbin/shutdown, what then? Ok, I can set /sbin/shutdown as -rwx------
> and
> that will save me, but why isn't it default? This seems to be a bug in
> RedHat at least. I think everyone should check their systems to see if
> programs in /sbin and /usr/sbin are world executable.
>
Many programs in /usr/sbin /sbin are world executables but
most of them check if root is executing it or not else
it will give a warning message and exit.
At least for Solaris /usr/sbin/shutdown and /etc/shutdown are
sh scripts which check the user executing it and if user is
not root it will give the warning and exit.
As far as Linux is concerned, I haven't checked it but it
should be the same. I had a linux box earlier but for some reason
I had to format it but for it I was able to shutdown it only
from console and by giving USER PASSWD only.
> Lets make a list of distros that have this problem and tell them about
> it.
>
> Philip
>
> To subscribe / unsubscribe goto the site www.ilug-bom.org ., click on the mailing
>list button and fill the appropriate information
> and submit. For any other queries contact the ML maintener
>
>
To subscribe / unsubscribe goto the site www.ilug-bom.org ., click on the mailing list
button and fill the appropriate information
and submit. For any other queries contact the ML maintener
