[CentOS] Wrapper script for shutdown, passwd, etc. commands

Mon Jul 13 15:03:10 UTC 2015
Leon Fauster <leonfauster at googlemail.com>

Am 13.07.2015 um 16:47 schrieb Kwan Lowe <kwan.lowe at gmail.com>:
> On Mon, Jul 13, 2015 at 10:21 AM, Jonathan Billings <billings at negate.org>
> wrote:
> 
>> Are you saying that this is an interactive process on the system?  I'd
>> suggest you make sure this isn't some sort of email ticket that stores
>> a password or emails it.
>> 
> 
> Thanks for the reply.  I'm thinking that the password would only be there
> to confirm. It would not be stored but would possibly leverage PAM.
> 
> 
>> You could probably use 'sudo' to handle the part of authenticating the
>> user, and run a very limited service that queried a secure system for
>> approval and initiated the shutdown.
>> 
> 
> sudo was a possibility.. However, I want to this specifically for folks
> with root access so sudo's checks won't work.
> 
> This is for two reasons:  Audit requirements and as a second check for the
> admin. We've had a couple instances recently where the admin did work on
> the wrong server. Though i don't see any way to totally lock it down for
> someone with root access, I want to make it at least give some sort of
> warning.


If your need is to be sure that the admin work on the right system,
then I suggest to put something explicitly into /etc/motd (man motd).

If your work policy allows "folks" to work directly as root, then 
everything can be circumvented, saying that to suggest something 
totally trivial: aliases 

cat /etc/profile.d/local.sh 
alias shutdown='/usr/local/sbin/wrapper-shutdown'

thought
--
LF