On 03/28/2012 04:04 PM, Bob Hoffman wrote:
On 3/28/2012 10:03 AM, Phil Schaffner wrote:
Timo Neuvonen wrote on 03/28/2012 09:17 AM:
I just noticed that CentOS (6.2) by default allows any user to reboot/poweroff system without any admin rights, or without any further questions, if using commands 'reboot' or 'poweroff'. But 'shutdown' still requires admin rights.
What is the preferred way to restrict any regular user from rebooting / powering off the system (by accident)?
IMHO, sudo should be required for this purpose (at least in a system with shared remote access from multiple users, single-user laptops etc may be a different case)
OUCH! This seems to qualify as a CentOS bug. I confirm that a normal user can reboot or poweroff the system on 6.2. On RHEL:
$ rpm -qa redhat-release* redhat-release-server-6Server-6.2.0.3.el6.x86_64 $ poweroff poweroff: Need to be root $ reboot reboot: Need to be root
Phil
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
I was just reading this the other day in a book but cannot find it...there is some command that limits this...not sure if it was just sudo or not... yea, that is scary _______________________________________________
Only console users (local users) are allowed to do that. It's configured using pam (I use Centos5.8 so forgive me if this is not the same for CentOS6). I tried to change settings in /etc/pam.d/ and that indeed works:
/etc/pam.d/poweroff /etc/pam.d/reboot /etc/pam.d/halt
I added as a second line : auth sufficient pam_rootok.so # prevent normal users to reboot auth required pam_deny.so ....
But still the user locally logged on to the machine (gnome session) can switch it off. So I think I also missed something.
Theo