Re: Administration question
Hi David, I work at Western university and we added a user shutdown. We told it when you log in to execute shutdown -h now and that is it. That might be the easiest way to do it. A little time consuming but other then that not the headaches that you could get if the system were to go down. If you need anymore info, email me. Paul On Fri, 15 Aug 1997 [EMAIL PROTECTED] wrote: I am running a Debian system right now as a web development staging server. At present, it is only on a local network, but could conceivably become a gateway to the Internet as well. So for the time being, it is basically a two-user system (me and my wife). I am teaching my wife to do web development, and would like her to be able to use the Linux system. This includes having her be able to shut the system down when she's done using it (we can't afford to leave this old 486 system running without a pretty heavy subsidy from the electric co!). My wife is not a real experienced computer user in general, and she has NO UNIX experience whatsoever. Needless to say, I'm not really crazy about the idea of giving her root access, lest some simple mistake hose the system completely. What would be the best way to enable her to run the shutdown command, without creating a giant security hole which might bite me in the @*% should this machine ever become a gateway? My thoughts up to this point: 1) Creating a group consisting of my wife and myself, and doing a setuid and chmod 710 on the shutdown command itself, and changing group ownership to the group with me and her in it. 2) Creating a group consisting of my wife and myself, and writing a script which executes the shutdown command, then setting the ownership for the script to root, group ownership on the script to our group, and doing a setuid on just the script. It seems to me that the second option is the best as I don't have to monkey around with the permissions on the command. Is the second any more of a security concern than the first, or, as I assume, less? Say my wife's user password is ridiculously easy to guess; do these give the same amount of system access to the person who cracks into her account? Does anyone know of a better way to do this? -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] . -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: Administration question
If she has access to the system, just tell her to do a ctrl-all-del, and then when the machine reboots turn it off during the memory check. Shaya -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: Administration question
[EMAIL PROTECTED] wrote: I am running a Debian system right now as a web development staging server. At present, it is only on a local network, but could conceivably become a gateway to the Internet as well. So for the time being, it is basically a two-user system (me and my wife). I am teaching my wife to do web development, and would like her to be able to use the Linux system. This includes having her be able to shut the system down when she's done using it (we can't afford to leave this old 486 system running without a pretty heavy subsidy from the electric co!). My wife is not a real experienced computer user in general, and she has NO UNIX experience whatsoever. Needless to say, I'm not really crazy about the idea of giving her root access, lest some simple mistake hose the system completely. What would be the best way to enable her to run the shutdown command, without creating a giant security hole which might bite me in the @*% should this machine ever become a gateway? My thoughts up to this point: 1) Creating a group consisting of my wife and myself, and doing a setuid and chmod 710 on the shutdown command itself, and changing group ownership to the group with me and her in it. 2) Creating a group consisting of my wife and myself, and writing a script which executes the shutdown command, then setting the ownership for the script to root, group ownership on the script to our group, and doing a setuid on just the script. I prefer #1 because setuid scripts are always a poor idea. If the script is in suidperl (or is it perlsuid?), I'd object less (and in a pinch I might even do #2 for quickness, given proper signal handling at the top of the script). In short, I guess I'm saying Do it the way you know best; just make sure you handle all interupts at the top of your code and THINK about what you're doing and the order you do it in. It seems to me that the second option is the best as I don't have to monkey around with the permissions on the command. Is the second any more of a security concern than the first, or, as I assume, less? Say my wife's user password is ridiculously easy to guess; do these give the same amount of system access to the person who cracks into her account? Does anyone know of a better way to do this? -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] . -- - Ralph Winslow [EMAIL PROTECTED] The IQ of the group is that of the member whose IQ is lowest divided by the number of members. -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: Administration question
Why not just tell her to use Control-Alt-Delete to shut down the system? Debian will perform an orderly shutdown and reboot the machine, at which time it can be safely powered off. No magic necessary. Regards, Jeff -- Make it idiot-proof, and someone will breed a better idiot. PGP mail welcome! Visit http://www.planetfall.com/pgp.html for my PGP key. I changed the ctrlaltdel line in /etc/inittab to: # What to do when CTRL-ALT-DEL is pressed. ca:12345:ctrlaltdel:/sbin/shutdown -t1 -h now This gives me a clean shutdown without trying to hit the power button on time. I suppose there is a security issue, but this machine is for home use only. Later Rob -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: Administration question
Why not just tell her to use Control-Alt-Delete to shut down the system? Debian will perform an orderly shutdown and reboot the machine, at which time it can be safely powered off. No magic necessary. Regards, Jeff -- Make it idiot-proof, and someone will breed a better idiot. PGP mail welcome! Visit http://www.planetfall.com/pgp.html for my PGP key. -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: Administration question
On Fri, 15 Aug 1997 [EMAIL PROTECTED] wrote: What would be the best way to enable her to run the shutdown command, without creating a giant security hole which might bite me in the @*% should this machine ever become a gateway? My thoughts up to this point: Why don't you use sudo? It allows you to execute root commands as a normal user. I believe you can (as root) specify which users are allowed to do which commands in the /etc/sudoers file. We have a .deb of sudo someplace ... hit www.debian.org and find it. Will --- [EMAIL PROTECTED] [EMAIL PROTECTED] http://www.cis.udel.edu/~lowe/ For PGP Public Key, visit my website. --- -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: Administration question
What would be the best way to enable her to run the shutdown command, without creating a giant security hole which might bite me in the @*% should this machine ever become a gateway? My thoughts up to this point: 1) Creating a group consisting of my wife and myself, and doing a setuid and chmod 710 on the shutdown command itself, and changing group ownership to the group with me and her in it. Not a bad idea - though anyone who can crack into the system *could* gain access to this one commend. 2) Creating a group consisting of my wife and myself, and writing a script which executes the shutdown command, then setting the ownership for the script to root, group ownership on the script to our group, and doing a setuid on just the script. Linux doesn't support suid on scripts - it's *that* big of a security hole! A wrapper program would be more like it. It seems to me that the second option is the best as I don't have to monkey around with the permissions on the command. Is the second any more of a security concern than the first, or, as I assume, less? Say my wife's user password is ridiculously easy to guess; do these give the same amount of system access to the person who cracks into her account? Does anyone know of a better way to do this? Yes! Try using sudo or super. They allow ordinary users to have access to specific system level programs without monkeying around with permissions. I've used sudo for a long time and am happy with the access it allows. Super may be even easier to use, I'm not sure. Another way that I've seen systems handle this - not advocating it - just mentioning... is to have a shutdown user (w/ a password of course) that runs the shutdown command upon login. If this user has root equivalent authority (the SCO systems I've seen with this are user=0, group=0... shudder...) then just logging in will bring the system down. It's an option - not a very good one, but an option. Chuck -- Chuck Stickelman, Owner E-Mail: [EMAIL PROTECTED] Practical Network DesignVoice: (419) 529-3841 9 Chambers Road FAX:(419) 529-3625 Mansfield, OH 44906-1302 USA -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .