I would like to be able to allow regular users that don't have admin privileges to be able to reboot their workstation. (they're software developers so rebooting their workstation doesn't affect anybody else)
I tried changing the ownership of /sbin/reboot and /sbin/shutdown to root:users and permissions to 550, but that didn't work - it's still asking for root privileges.
Possibly the problem might be that there's centralized LDAP authentication, not local, so the changes I made only apply to local accounts?
Any suggestions?
FW
Did you try adding
UserName ALL= NOPASSWD: /sbin/reboot
As the last line of their /etc/sudoers files? (replacing UserName with their actual user name, of course.)
That should grant them root access to only the /sbin/reboot command (add more commands using comma delimiting).
Then they just run $ sudo reboot
If you want to require they enter their own password before rebooting, use the line
UserName ALL=/sbin/reboot
Instead.
Use of sudo is recorded in /var/log/secure, if I recall correctly.
That seems to have worked on my own test account - I applied it to the user having the issue and asked for his feedback when he gets a chance.
Thanks!
On Fri, Feb 2, 2018 at 11:40 AM, Darr247 darr247@gmail.com wrote:
Did you try adding
UserName ALL= NOPASSWD: /sbin/reboot
As the last line of their /etc/sudoers files? (replacing UserName with their actual user name, of course.)
That should grant them root access to only the /sbin/reboot command (add more commands using comma delimiting).
Then they just run $ sudo reboot
If you want to require they enter their own password before rebooting, use the line
UserName ALL=/sbin/reboot
Instead.
Use of sudo is recorded in /var/log/secure, if I recall correctly.
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
W dniu 02.02.2018 o 18:27, Felipe Westfields pisze:
That seems to have worked on my own test account - I applied it to the user having the issue and asked for his feedback when he gets a chance. Thanks! On Fri, Feb 2, 2018 at 11:40 AM, Darr247 darr247@gmail.com wrote:
Did you try adding UserName ALL= NOPASSWD: /sbin/reboot As the last line of their /etc/sudoers files? (replacing UserName with their actual user name, of course.) That should grant them root access to only the /sbin/reboot command (add more commands using comma delimiting).
It may be more appropriate to place this line in separate file under /etc/sudoers.d/
Personally, this is what I'd use sudo for.
You can configure sudo to allow only certain commands with or without a password. Not a lot of detail, but you can either require or skip the password. And, instead of individuals - you can use groups. If you look through the soders file, you'll see how it's doen.
This very brief article goes into a limited how-to:
http://www.atrixnet.com/allow-an-unprivileged-user-to-run-a-certain-command-...
On Fri, Feb 2, 2018 at 9:09 AM, Felipe Westfields < felipe.westfields@gmail.com> wrote:
I would like to be able to allow regular users that don't have admin privileges to be able to reboot their workstation. (they're software developers so rebooting their workstation doesn't affect anybody else)
I tried changing the ownership of /sbin/reboot and /sbin/shutdown to root:users and permissions to 550, but that didn't work - it's still asking for root privileges.
Possibly the problem might be that there's centralized LDAP authentication, not local, so the changes I made only apply to local accounts?
Any suggestions?
FW _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
On 02/02/18 10:09, Felipe Westfields wrote:
I would like to be able to allow regular users that don't have admin privileges to be able to reboot their workstation. (they're software developers so rebooting their workstation doesn't affect anybody else)
I tried changing the ownership of /sbin/reboot and /sbin/shutdown to root:users and permissions to 550, but that didn't work - it's still asking for root privileges.
Possibly the problem might be that there's centralized LDAP authentication, not local, so the changes I made only apply to local accounts?
Any suggestions?
If they are local users (sitting in front of that computer), they will be able to use the commands
shutdown reboot poweroff
without any need of special privileges, which tells RedHat and CentOS apart from majority of Linuxes. This is incredibly logical (Thanks, RedHat!), as local user can just press power button, or yank AC cord.
To allow remote users reboot machine you can allow them execute some commands via sudo , like:
sudo reboot
Command sudo means Substitute User DO; when username of substitute user is not mentioned in command user "root: is used as substitute user, this is where misinterpreting the command as "super user do" originates, and the last is wrong. Do "man visudo", "man sudo", to learn details.
Incidentally, rebooting machine is rather big deal, if that is used to resolve some trouble happening every so often, I would rather look into fixing the cause of that trouble.
Valeri
FW _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Felipe Westfields wrote:
I would like to be able to allow regular users that don't have admin privileges to be able to reboot their workstation. (they're software developers so rebooting their workstation doesn't affect anybody else)
I tried changing the ownership of /sbin/reboot and /sbin/shutdown to root:users and permissions to 550, but that didn't work - it's still asking for root privileges.
Possibly the problem might be that there's centralized LDAP authentication, not local, so the changes I made only apply to local accounts?
Any suggestions?
Um, I take it that a three-finger kill doesn't work?
mark
On 2 February 2018 at 18:13, m.roth@5-cent.us wrote:
Felipe Westfields wrote:
I would like to be able to allow regular users that don't have admin privileges to be able to reboot their workstation. (they're software developers so rebooting their workstation doesn't affect anybody else)
I tried changing the ownership of /sbin/reboot and /sbin/shutdown to root:users and permissions to 550, but that didn't work - it's still asking for root privileges.
Possibly the problem might be that there's centralized LDAP authentication, not local, so the changes I made only apply to local accounts?
Any suggestions?
Um, I take it that a three-finger kill doesn't work?
mark
You;ll want to look at polkit configuration as that's what is used by systemd, and by gnome as a result, to determine what actions are permitted
-
Darr247 -
Felipe Westfields -
James Hogarth -
m.roth@5-cent.us -
Marcin Trendota -
Tate Belden -
Valeri Galtsev