Re: Allowing users to shutdown
On Wed, 26 Jan 2000, Bill Wilson wrote: > I agree 100%. I was just describing what I had done for single user > home setup. Shortly after I posted that message I was regretting not > having suggested a /usr/bin/shutdown script using sudo as a better idea > for many who read the list. Sorry. how I did it (temporarily) was to add a new group, shutdown. put two trusted users in it, 'chown root.shutdown shutdown', 'chmod 750 shutdown', 'chmod u+s shutdown'. hence, only members of shutdown are allowed to execute it, and it will be run suid root. -- yours etc.[gin & tonic.ucam.org] Tel: 01223 519254 David. Pager: 07654 341140 [EMAIL PROTECTED] PGP: finger -l [EMAIL PROTECTED]
Re: Allowing users to shutdown
On 26-Jan-00 Ethan Benson wrote: >>ln -s /sbin/shutdown /usr/bin/shutdown >>chmod a+s /sbin/shutdown > > > this will allow ANYONE on your system to shutdown or reboot your > system, whether they are logged into gnome or logged in via ssh from > anywhere.. > > if security is not a big deal for you then this may be fine. but if > you are concerned for security that is a very bad idea.. I agree 100%. I was just describing what I had done for single user home setup. Shortly after I posted that message I was regretting not having suggested a /usr/bin/shutdown script using sudo as a better idea for many who read the list. Sorry. Bill --- Bill Wilson <[EMAIL PROTECTED]>
Re: Allowing users to shutdown
On 26/1/2000 Svante Signell wrote: This question has been sent to the gnome, debian, redhat and suse lists in December with no answer like this, see the summary in the gnome-list or the debian-user list dated December 14 1999. The closest was to use sudo or similar since I don't want to use xdm/gdm/kdm. Now only remains how to find a similar solution for kde. (Gnome in Redhat already has a solution for this via PAM) Any security issues with the solution below? yes, anyone and there brother can now execute shutdown as root and thus anyone can shutdown the system, usually not what you want. whether someone could somehow get a rootshell out of a suid shutdown I do not know but i would not take the chance. much better way to do this is add anyone who is allowed to shutdown to sudoers and add the following script to /usr/local/bin #! /bin/sh sudo shutdown -h now redhat has a convoluted solution that turned out to be insecure, they have since fixed it, but still I would not run their usermode module on my system after that.. sudo is just as easy and much safer. -- Ethan Benson To obtain my PGP key: http://www.alaska.net/~erbenson/pgp/
Re: Allowing users to shutdown
On 25/1/2000 Bill Wilson wrote: ln -s /sbin/shutdown /usr/bin/shutdown chmod a+s /sbin/shutdown this will allow ANYONE on your system to shutdown or reboot your system, whether they are logged into gnome or logged in via ssh from anywhere.. if security is not a big deal for you then this may be fine. but if you are concerned for security that is a very bad idea.. -- Ethan Benson To obtain my PGP key: http://www.alaska.net/~erbenson/pgp/
Re: Allowing users to shutdown
At last somebody has an acceptable solution for this use of GNU/Linux!! This question has been sent to the gnome, debian, redhat and suse lists in December with no answer like this, see the summary in the gnome-list or the debian-user list dated December 14 1999. The closest was to use sudo or similar since I don't want to use xdm/gdm/kdm. Now only remains how to find a similar solution for kde. (Gnome in Redhat already has a solution for this via PAM) Any security issues with the solution below? Svante S. Bill Wilson writes: > On 01/24/00, Joseph A. Martin addressed "Allowing users to shutdown": > > I have set up a Linux workstation for my family's use. They > > only need to keep the system on for short periods. (For various > > reasons I don't want to leave it on full time.) They are using the > > icewm window manager, which, when they hit ctrl-alt-del, gives them > > the option of shutting down or rebooting the system. /sbin/shutdown > > has permissions that do not allow them to use the shutdown command, > > unfortunately. What permissions must I set to allow anyone on that > > system to shut it down? > > If you run Gnome on a home workstation you could customize it like > I did for a friend who is a just learning Linux. Gnome has hardwired > code that needs /usr/bin/shutdown and looks for a /var/lock/console/$USER > before adding reboot and halt options to the "Log out" popup from the > gnome menu. So I did this: > > ln -s /sbin/shutdown /usr/bin/shutdown > chmod a+s /sbin/shutdown > mkdir /var/lock/console > touch /var/lock/console/betty > chattr +i /var/lock/console/betty #Could be in a startup script for the > unlazy > > Now she happily shuts down with four clicks. I haven't followed this whole > thread, so sorry if I'm repeating anything - also, is there a preferred > Debian way to set up the console lock and shutdown link so gnome will show > the reboot and halt options? This has to have come up before... > > > > --- > Bill Wilson <[EMAIL PROTECTED]> > > > -- > Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] < /dev/null
Re: Allowing users to shutdown
On 01/24/00, Joseph A. Martin addressed "Allowing users to shutdown": > I have set up a Linux workstation for my family's use. They > only need to keep the system on for short periods. (For various > reasons I don't want to leave it on full time.) They are using the > icewm window manager, which, when they hit ctrl-alt-del, gives them > the option of shutting down or rebooting the system. /sbin/shutdown > has permissions that do not allow them to use the shutdown command, > unfortunately. What permissions must I set to allow anyone on that > system to shut it down? If you run Gnome on a home workstation you could customize it like I did for a friend who is a just learning Linux. Gnome has hardwired code that needs /usr/bin/shutdown and looks for a /var/lock/console/$USER before adding reboot and halt options to the "Log out" popup from the gnome menu. So I did this: ln -s /sbin/shutdown /usr/bin/shutdown chmod a+s /sbin/shutdown mkdir /var/lock/console touch /var/lock/console/betty chattr +i /var/lock/console/betty #Could be in a startup script for the unlazy Now she happily shuts down with four clicks. I haven't followed this whole thread, so sorry if I'm repeating anything - also, is there a preferred Debian way to set up the console lock and shutdown link so gnome will show the reboot and halt options? This has to have come up before... --- Bill Wilson <[EMAIL PROTECTED]>
Re: Allowing users to shutdown
On 01/24/00, Joseph A. Martin addressed "Allowing users to shutdown": > I have set up a Linux workstation for my family's use. They > only need to keep the system on for short periods. (For various > reasons I don't want to leave it on full time.) They are using the > icewm window manager, which, when they hit ctrl-alt-del, gives them > the option of shutting down or rebooting the system. /sbin/shutdown > has permissions that do not allow them to use the shutdown command, > unfortunately. What permissions must I set to allow anyone on that > system to shut it down? A real simple solution is to change what Ctrl-Alt-Del does in /etc/inittab. On my wife's machine, I changed it a little to say: # What to do when CTRL-ALT-DEL is pressed. ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -h now That way she can bring it down to a state where it's safe to shut off or reset without any further customization to the system. She's not even in sudoers. Of course, Ctrl-Alt-Del may be intercepted at certain times, e.g. in X, but all she has to do is go to a free VT if that's the case. -- Jesse Jacobsen, Pastor [EMAIL PROTECTED] Grace Lutheran Church (ELS) http://www.jvlnet.com/~jjacobsen/ Madison, Wisconsin GnuPG public key ID: 2E3EBF13
Re: Allowing users to shutdown
On 24/1/2000 Joseph A. Martin wrote: I have set up a Linux workstation for my family's use. They only need to keep the system on for short periods. (For various reasons I don't want to leave it on full time.) They are using the icewm window manager, which, when they hit ctrl-alt-del, gives them the option of shutting down or rebooting the system. /sbin/shutdown has permissions that do not allow them to use the shutdown command, unfortunately. What permissions must I set to allow anyone on that system to shut it down? you have to use sudo, shutdown is world executable, it just checks that the user executing it is uid 0 what i did for a similar situation was give the users in question sudo privileges to execute shutdown -h -a now and wrote a couple wrapper scripts that i put in /usr/local/bin so users can just type shutdown and the system goes down. for windowmaker i added a button to the dock which they can double click and the system goes down. another trick i did is by adding that -a switch to shutdown, this way i can add a script to my .bashrc file to run sudo touch /etc/shutdown.allow and sudo rm -f /etc/shutdown.allow to .bash_logout this way when i am working on the system through ssh they cannot inadvertantly shut it down on me. my wrapper scripts check for that file and either print out a useful message or call xmessage to put up a dialog with a useful message. I assume you can configure icewm to call something else on control alt delete, just have it call sudo shutdown -h now, or a wrapper script if you go the route i did. (btw if you use wrapper scripts like i did, you need to add a symlink from /usr/local/sbin/shutdown -> /sbin/shutdown otherwise sudo will try and run your fake shutdown wrapper instead of the real one) -- Ethan Benson To obtain my PGP key: http://www.alaska.net/~erbenson/pgp/
Allowing users to shutdown
Hello, I have set up a Linux workstation for my family's use. They only need to keep the system on for short periods. (For various reasons I don't want to leave it on full time.) They are using the icewm window manager, which, when they hit ctrl-alt-del, gives them the option of shutting down or rebooting the system. /sbin/shutdown has permissions that do not allow them to use the shutdown command, unfortunately. What permissions must I set to allow anyone on that system to shut it down? thanks. later, joseph -- the "LaterDude" ICQ: 52640402 [EMAIL PROTECTED] http://www.ice-works.com/personal/LaterDude/ All opinions expressed are my own and not necessarily those of my employer unless otherwise noted.
