[CentOS] How to restrict reboot/poweroff from non-admins?

Theo Band theo.band at greenpeak.com
Wed Mar 28 10:15:50 EDT 2012


On 03/28/2012 04:04 PM, Bob Hoffman wrote:
> On 3/28/2012 10:03 AM, Phil Schaffner wrote:
>> Timo Neuvonen wrote on 03/28/2012 09:17 AM:
>>> I just noticed that CentOS (6.2) by default allows any user to
>>> reboot/poweroff system without any admin rights, or without any further
>>> questions, if using commands 'reboot' or 'poweroff'. But 'shutdown' still
>>> requires admin rights.
>>>
>>> What is the preferred way to restrict any regular user from rebooting /
>>> powering off the system (by accident)?
>>>
>>> IMHO, sudo should be required for this purpose (at least in a system with
>>> shared remote access from multiple users, single-user laptops etc may be a
>>> different case)
>>>
>> OUCH! This seems to qualify as a CentOS bug.  I confirm that a normal
>> user can reboot or poweroff the system on 6.2.  On RHEL:
>>
>> $ rpm -qa redhat-release\*
>> redhat-release-server-6Server-6.2.0.3.el6.x86_64
>> $ poweroff
>> poweroff: Need to be root
>> $ reboot
>> reboot: Need to be root
>>
>> Phil
>>
>>
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>>
>>
> I was just reading this the other day in a book but cannot find 
> it...there is some command that limits this...not sure if it was just 
> sudo or not...
> yea, that is scary
> _______________________________________________
>
Only console users (local users) are allowed to do that. It's configured
using pam (I use Centos5.8 so forgive me if this is not the same for
CentOS6). I tried to change settings in /etc/pam.d/ and that indeed works:

/etc/pam.d/poweroff
/etc/pam.d/reboot
/etc/pam.d/halt

I added as a second line :
auth       sufficient   pam_rootok.so
# prevent normal users to reboot
auth       required     pam_deny.so
....

But still the user locally logged on to the machine (gnome session) can
switch it off. So I think I also missed something.

Theo





More information about the CentOS mailing list