On Mon, 11 Jun 2001, you wrote:
> Pablo Manalastas wrote:
> >
> > On Thu, 7 Jun 2001, omegaman megaman wrote:
> >
> > > im using a redhat7.0 and i found out that even if you
> > > a ordinary user with shell account you can reboot the
> > > system, is there a fix for this or extra configuration
> > > that will fix this.?
> <snip>
> > By the way, the above statements apply not only to
> > RedHat but to other Linux distros, and maybe to other
> > Unix machines.
>
> There's more to it if you're using RedHat 7.1 (and presumably 7.0). RH
> has symlinked /usr/bin/reboot to /usr/bin/consolehelper.
> consolehelper(8) is "a wrapper that helps console users run system
> programs". In short, ANY user with shell and physical access can reboot
> the machine just by typing "reboot".
>
> I count this as a grave error on RH's part. While it's true that if you
> have physical console you can force a reboot, one shouldn't tempt fate
> by leaving such power in the hands of users.
hi brian and doc mana,
actually, this behaviour is configurable thru
/etc/pam.d/reboot
on my rh6.2 box i normally had:
======<snip>======
#%PAM-1.0
auth sufficient /lib/security/pam_rootok.so
auth required /lib/security/pam_console.so
auth required /lib/security/pam_pwdb.so
account required /lib/security/pam_permit.so
======<snip>======
and mike says his rh7.1 box had something similar,
though not exactly the same.
with this setup, when i enter 'reboot' as an ordinary user,
the system prompts me for my (not root's) password.
if i give the correct password, the system reboots.
now when i changed it to:
======<snip>======
#%PAM-1.0
auth sufficient /lib/security/pam_rootok.so
#auth required /lib/security/pam_console.so
#auth required /lib/security/pam_pwdb.so
#account required /lib/security/pam_permit.so
======<snip>======
when i issue a 'reboot' as an ordinary user,
the system just ignores it.
also, when i changed it to look like:
======<snip>======
#%PAM-1.0
auth sufficient /lib/security/pam_rootok.so
auth required /lib/security/pam_console.so
#auth required /lib/security/pam_pwdb.so
account required /lib/security/pam_permit.so
======<snip>======
issuing a 'reboot' as an ordinary user made the system
reboot immediately, no more prompting for a password!
so kids, be careful when you try this at home...:)
neat huh?
i'll leave the explaining up to migz paraz,
the pam guru himself... (hi'ya migz!).
hth,
-eric
--
.--. Enrique D. Rosel II office://+63.2.894.3592/
( () ) Q Linux Solutions, Inc.
`--\\ A Philippine Open Source Solutions Co. http://www.q-linux.com/
_
Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
To subscribe to the Linux Newbies' List: send "subscribe" in the body to
[EMAIL PROTECTED]
