Re: Unprivileged user shutdown
>> You're concerned that somebody might be able to use >> the "poweroff" user's credentials to gain other root >> privileges? I've not heard of a scenario where this >> would be a problem. > >The man page for su shows an option for changing the default shell that >is run, "-s". I assume the risk here would be if one of these users were >to run "su -s /bin/bash" and use the shutdown account's >password to obtain an unrestricted root shell. I've never tried this so >I'm not sure if that would work. The attack you described was anticipated: NOTES The -m, -p and -s options are restricted by the target user's shell being listed in /etc/shells. If it's not listed, then it's assumed to be a restricted account, a normal su is performed, and those options are ignored silently. >Perhaps a better solution would be to set up a normal user account >(ie, >not uid=0) and give this user sudo access to run shutdown? That works, too. ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
RE: Unprivileged user shutdown
An idea which comes to mind based on some of the ones already put out: Create a less-privileged account called "reboot" (or whatever) and setup a sudo allowing that ID to run the shutdown. Setup a call that will kick off that sudo as your default shell. Then, put a call to that same sudo as the first command in their profiles for each shell you have installed to ensure if anyone logs in to that account and overrides the default call it will immediately run the shutdown anyway. There are probably weaknesses to this as well (nothing is 100%), so please add on if you think of anything. -Lawrence -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Garman Sent: Wednesday, October 13, 2004 2:33 PM To: GNHLUG Subject: Re: Unprivileged user shutdown On Wed, 2004-10-13 at 14:11, Michael ODonnell wrote: > > useradd -c "execute reboot" > [...] > > -u 0 > > poweroff > > > There aren't any security problems here? It seems like there could > > be potential issues with having a "second root" account where the > > password was known. I'm not sure where exactly the problem would > > come from, but it just seems like there could be potential issues. > > > You're concerned that somebody might be able to use > the "poweroff" user's credentials to gain other root privileges? I've > not heard of a scenario where this would be a problem. The man page for su shows an option for changing the default shell that is run, "-s". I assume the risk here would be if one of these users were to run "su -s /bin/bash" and use the shutdown account's password to obtain an unrestricted root shell. I've never tried this so I'm not sure if that would work. Perhaps a better solution would be to set up a normal user account (ie, not uid=0) and give this user sudo access to run shutdown? Scott ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Unprivileged user shutdown
On Wed, 2004-10-13 at 14:33, Scott Garman wrote: > The man page for su shows an option for changing the default shell that > is run, "-s". I assume the risk here would be if one of these users were > to run "su -s /bin/bash" and use the shutdown account's > password to obtain an unrestricted root shell. I've never tried this so > I'm not sure if that would work. This is exactly the kind of thing I was concerned about. Surprisingly, I tried it on a local test system here, and doing a: # su -s /bin/bash shutdown [ask for password] from a normal user, still caused the system to power down. How was that accomplished? Anybody? -- "... one of the main causes of the fall of the Roman Empire was that, lacking zero, they had no way to indicate successful termination of their C programs." -- Robert Firth Cole Tuininga Lead Developer Code Energy, Inc [EMAIL PROTECTED] PGP Key ID: 0x43E5755D ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Unprivileged user shutdown
On Wed, 2004-10-13 at 14:11, Michael ODonnell wrote: > > useradd -c "execute reboot" > [...] > > -u 0 > > poweroff > > > There aren't any security problems here? It seems like there could > > be potential issues with having a "second root" account where the > > password was known. I'm not sure where exactly the problem would > > come from, but it just seems like there could be potential issues. > > > You're concerned that somebody might be able to use > the "poweroff" user's credentials to gain other root > privileges? I've not heard of a scenario where this > would be a problem. The man page for su shows an option for changing the default shell that is run, "-s". I assume the risk here would be if one of these users were to run "su -s /bin/bash" and use the shutdown account's password to obtain an unrestricted root shell. I've never tried this so I'm not sure if that would work. Perhaps a better solution would be to set up a normal user account (ie, not uid=0) and give this user sudo access to run shutdown? Scott -- Scott Garman sgarman at iname dot com ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Unprivileged user shutdown
On Wed, Oct 13, 2004 at 01:37:00PM -0400, Kevin D. Clark wrote: > Cole Tuininga writes: > > I manage a system remotely for some people who are not terribly linux > > (or really, computer) savvy. When they need to move the server for > > whatever reason, they just hit the power button to shut it off. > > > > Obviously, this is not preferable. > > I accidently hit the power button for a second on my Fedora Core 2 box > (kernel 2.6.x) the other night. A few seconds later, the system shut > itself down cleanly. No, there wasn't a whole lot going on on the box > at the time. Comes standard w/Fedora 2. Its part of the acpi daemon (acpid). Look in /etc/acpid/events dir - a file in there specifies what action to take when the power button is pushed. In a native Fedora 2 install its in "sample.conf". -- Linux/Open Source. Your base belongs to you, free, forever. Idealism: "Realism applied over a longer time period" http://www.scaled.com/projects/tierone/ "Last one into space is a rotten egg!" Jeff Kinz, Emergent Research, Hudson, MA. ~ ~ ~ ~ ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Unprivileged user shutdown
> useradd -c "execute reboot" [...] > -u 0 > poweroff > There aren't any security problems here? It seems like there could > be potential issues with having a "second root" account where the > password was known. I'm not sure where exactly the problem would > come from, but it just seems like there could be potential issues. You're concerned that somebody might be able to use the "poweroff" user's credentials to gain other root privileges? I've not heard of a scenario where this would be a problem. BTW, if these people have physical access to the machine and you don't trust them, you have bigger security problems to solve than this one... ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
RE: Unprivileged user shutdown
It's a feature of ACPI. Although you'll need to disable APM and make sure you have some tools installed (http://acpid.sourceforge.net) http://mirror.hamakor.org.il/archives/linux-il/01-2004/8099.html Thanks, Paul -Original Message- From: Cole Tuininga [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 13, 2004 1:50 PM To: GNHLUG List Subject: Re: Unprivileged user shutdown On Wed, 2004-10-13 at 13:37, Kevin D. Clark wrote: > I accidently hit the power button for a second on my Fedora Core 2 box > (kernel 2.6.x) the other night. A few seconds later, the system shut > itself down cleanly. No, there wasn't a whole lot going on on the box > at the time. > > I've never seen it do *that* before. I haven't had time to > investigate this, but I'd guess that there's a hook in inittab for > this. > > Perhaps you can exploit this functionality for your scenerio? I suspect this is quite possible, but I don't know anything about it. I wouldn't even know where to start googling. 8) I suspect this has something to do with power management applications. -- "... one of the main causes of the fall of the Roman Empire was that, lacking zero, they had no way to indicate successful termination of their C programs." -- Robert Firth Cole Tuininga Lead Developer Code Energy, Inc [EMAIL PROTECTED] PGP Key ID: 0x43E5755D ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Unprivileged user shutdown
On Wednesday, Oct 13th 2004 at 12:12 -0400, quoth Cole Tuininga: => =>Here's a question for you folks. => =>I manage a system remotely for some people who are not terribly linux =>(or really, computer) savvy. When they need to move the server for =>whatever reason, they just hit the power button to shut it off. => =>Obviously, this is not preferable. => =>What I'd like to do is to give them a user account that causes the =>system to go into shutdown mode when logged into. => =>This is on a Debian Woody box. => =>Any thoughts on ways I can accomplish this? How about sudo? -- Time flies like the wind. Fruit flies like a banana. Stranger things have .0. happened but none stranger than this. Does your driver's license say Organ ..0 Donor?Black holes are where God divided by zero. Listen to me! We are all- 000 individuals! What if this weren't a hypothetical question? steveo at syslang.net ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Unprivileged user shutdown
On Wed, 2004-10-13 at 13:37, Kevin D. Clark wrote: > I accidently hit the power button for a second on my Fedora Core 2 box > (kernel 2.6.x) the other night. A few seconds later, the system shut > itself down cleanly. No, there wasn't a whole lot going on on the box > at the time. > > I've never seen it do *that* before. I haven't had time to > investigate this, but I'd guess that there's a hook in inittab for > this. > > Perhaps you can exploit this functionality for your scenerio? I suspect this is quite possible, but I don't know anything about it. I wouldn't even know where to start googling. 8) I suspect this has something to do with power management applications. -- "... one of the main causes of the fall of the Roman Empire was that, lacking zero, they had no way to indicate successful termination of their C programs." -- Robert Firth Cole Tuininga Lead Developer Code Energy, Inc [EMAIL PROTECTED] PGP Key ID: 0x43E5755D ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Unprivileged user shutdown
On Wed, 2004-10-13 at 12:59, Bill McGonigle wrote: > Do they use ctrl-alt-delete to legitimately cause a restart? You could > modify inittab to do a shutdown instead. They do, but they need to keep that functionality. Otherwise that would be a fairly ideal solution. They've used windows - they're used to C-A-D. 8) -- Cole Tuininga <[EMAIL PROTECTED]> ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Unprivileged user shutdown
On Wed, 2004-10-13 at 12:59, Michael ODonnell wrote: > How about this? > > useradd -c "execute reboot" > -d /root > -g 0 > -p initialPasswd > -s /usr/bin/poweroff > -o > -u 0 > poweroff There aren't any security problems here? It seems like there could be potential issues with having a "second root" account where the password was known. I'm not sure where exactly the problem would come from, but it just seems like there could be potential issues. Or am I just being overly paranoid? 8) -- Cole Tuininga <[EMAIL PROTECTED]> ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Unprivileged user shutdown
Cole Tuininga writes: > I manage a system remotely for some people who are not terribly linux > (or really, computer) savvy. When they need to move the server for > whatever reason, they just hit the power button to shut it off. > > Obviously, this is not preferable. I accidently hit the power button for a second on my Fedora Core 2 box (kernel 2.6.x) the other night. A few seconds later, the system shut itself down cleanly. No, there wasn't a whole lot going on on the box at the time. I've never seen it do *that* before. I haven't had time to investigate this, but I'd guess that there's a hook in inittab for this. Perhaps you can exploit this functionality for your scenerio? Regards, --kevin -- GnuPG ID: B280F24E ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Unprivileged user shutdown
On Oct 13, 2004, at 12:12, Cole Tuininga wrote: What I'd like to do is to give them a user account that causes the system to go into shutdown mode when logged into. This is on a Debian Woody box. Any thoughts on ways I can accomplish this? Do they use ctrl-alt-delete to legitimately cause a restart? You could modify inittab to do a shutdown instead. -Bill Bill McGonigle, Owner Work: 603.448.4440 BFC Computing, LLC Home: 603.448.1668 [EMAIL PROTECTED] Cell: 603.252.2606 http://www.bfccomputing.com/Text: [EMAIL PROTECTED] ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Unprivileged user shutdown
How about this? useradd -c "execute reboot" -d /root -g 0 -p initialPasswd -s /usr/bin/poweroff -o -u 0 poweroff ...all on one line, of course. ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss