I just noticed that CentOS (6.2) by default allows any user to reboot/poweroff system without any admin rights, or without any further questions, if using commands 'reboot' or 'poweroff'. But 'shutdown' still requires admin rights.
What is the preferred way to restrict any regular user from rebooting / powering off the system (by accident)?
IMHO, sudo should be required for this purpose (at least in a system with shared remote access from multiple users, single-user laptops etc may be a different case)
-- TiN
Timo Neuvonen wrote on 03/28/2012 09:17 AM:
I just noticed that CentOS (6.2) by default allows any user to reboot/poweroff system without any admin rights, or without any further questions, if using commands 'reboot' or 'poweroff'. But 'shutdown' still requires admin rights.
What is the preferred way to restrict any regular user from rebooting / powering off the system (by accident)?
IMHO, sudo should be required for this purpose (at least in a system with shared remote access from multiple users, single-user laptops etc may be a different case)
OUCH! This seems to qualify as a CentOS bug. I confirm that a normal user can reboot or poweroff the system on 6.2. On RHEL:
$ rpm -qa redhat-release* redhat-release-server-6Server-6.2.0.3.el6.x86_64 $ poweroff poweroff: Need to be root $ reboot reboot: Need to be root
Phil
On 3/28/2012 10:03 AM, Phil Schaffner wrote:
Timo Neuvonen wrote on 03/28/2012 09:17 AM:
I just noticed that CentOS (6.2) by default allows any user to reboot/poweroff system without any admin rights, or without any further questions, if using commands 'reboot' or 'poweroff'. But 'shutdown' still requires admin rights.
What is the preferred way to restrict any regular user from rebooting / powering off the system (by accident)?
IMHO, sudo should be required for this purpose (at least in a system with shared remote access from multiple users, single-user laptops etc may be a different case)
OUCH! This seems to qualify as a CentOS bug. I confirm that a normal user can reboot or poweroff the system on 6.2. On RHEL:
$ rpm -qa redhat-release* redhat-release-server-6Server-6.2.0.3.el6.x86_64 $ poweroff poweroff: Need to be root $ reboot reboot: Need to be root
Phil
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
I was just reading this the other day in a book but cannot find it...there is some command that limits this...not sure if it was just sudo or not... yea, that is scary
On 03/28/2012 04:04 PM, Bob Hoffman wrote:
On 3/28/2012 10:03 AM, Phil Schaffner wrote:
Timo Neuvonen wrote on 03/28/2012 09:17 AM:
I just noticed that CentOS (6.2) by default allows any user to reboot/poweroff system without any admin rights, or without any further questions, if using commands 'reboot' or 'poweroff'. But 'shutdown' still requires admin rights.
What is the preferred way to restrict any regular user from rebooting / powering off the system (by accident)?
IMHO, sudo should be required for this purpose (at least in a system with shared remote access from multiple users, single-user laptops etc may be a different case)
OUCH! This seems to qualify as a CentOS bug. I confirm that a normal user can reboot or poweroff the system on 6.2. On RHEL:
$ rpm -qa redhat-release* redhat-release-server-6Server-6.2.0.3.el6.x86_64 $ poweroff poweroff: Need to be root $ reboot reboot: Need to be root
Phil
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
I was just reading this the other day in a book but cannot find it...there is some command that limits this...not sure if it was just sudo or not... yea, that is scary _______________________________________________
Only console users (local users) are allowed to do that. It's configured using pam (I use Centos5.8 so forgive me if this is not the same for CentOS6). I tried to change settings in /etc/pam.d/ and that indeed works:
/etc/pam.d/poweroff /etc/pam.d/reboot /etc/pam.d/halt
I added as a second line : auth sufficient pam_rootok.so # prevent normal users to reboot auth required pam_deny.so ....
But still the user locally logged on to the machine (gnome session) can switch it off. So I think I also missed something.
Theo
Only console users (local users) are allowed to do that. It's configured using pam (I use Centos5.8 so forgive me if this is not the same for CentOS6). I tried to change settings in /etc/pam.d/ and that indeed works:
/etc/pam.d/poweroff /etc/pam.d/reboot /etc/pam.d/halt
I added as a second line : auth sufficient pam_rootok.so # prevent normal users to reboot auth required pam_deny.so ....
But still the user locally logged on to the machine (gnome session) can switch it off. So I think I also missed something.
I can't test it right now, but reading 'man pam.d' made me wonder if 'required' in the 'auth required pam_deny.so' in the example above should be replaced with 'requisite'.
-- TiN
On 03/28/2012 09:38 PM, Timo Neuvonen wrote:
Only console users (local users) are allowed to do that. It's configured using pam (I use Centos5.8 so forgive me if this is not the same for CentOS6). I tried to change settings in /etc/pam.d/ and that indeed works:
/etc/pam.d/poweroff /etc/pam.d/reboot /etc/pam.d/halt
I added as a second line : auth sufficient pam_rootok.so # prevent normal users to reboot auth required pam_deny.so ....
But still the user locally logged on to the machine (gnome session) can switch it off. So I think I also missed something.
I can't test it right now, but reading 'man pam.d' made me wonder if 'required' in the 'auth required pam_deny.so' in the example above should be replaced with 'requisite'.
Both methods should work. With requisite the following checks are not done anymore (it fails right away). But even if the other tests succeed (after a failing required) the final judgement is still "fail". It a way not to tell the reason authentication fails. This makes it a little bit more difficult for an attacker.
Note that shutdown is not in the list of pam enabled applications. So a user cannot poweroff, but he can still shutdown :-( I read that /etc/shutdown.allow controls shutdown but I don't understand what the gnome desktop actually calls. Apparently it is not poweroff/reboot/halt.
Anyone knows how to properly prevent any non root user (console and remote) for powering off a machine?
I need this only for desktop users that switch of their machine by accident. The machine is used as part of a compute grid as well.
Theo
On 03/28/2012 09:03 AM, Phil Schaffner wrote:
Timo Neuvonen wrote on 03/28/2012 09:17 AM:
I just noticed that CentOS (6.2) by default allows any user to reboot/poweroff system without any admin rights, or without any further questions, if using commands 'reboot' or 'poweroff'. But 'shutdown' still requires admin rights.
What is the preferred way to restrict any regular user from rebooting / powering off the system (by accident)?
IMHO, sudo should be required for this purpose (at least in a system with shared remote access from multiple users, single-user laptops etc may be a different case)
OUCH! This seems to qualify as a CentOS bug. I confirm that a normal user can reboot or poweroff the system on 6.2. On RHEL:
$ rpm -qa redhat-release* redhat-release-server-6Server-6.2.0.3.el6.x86_64 $ poweroff poweroff: Need to be root $ reboot reboot: Need to be root
Phil
Make sure you are testing apples to apples
Test ssh access versus local console access, etc.
Johnny Hughes wrote on 03/28/2012 10:26 AM:
On 03/28/2012 09:03 AM, Phil Schaffner wrote:
Timo Neuvonen wrote on 03/28/2012 09:17 AM:
I just noticed that CentOS (6.2) by default allows any user to reboot/poweroff system without any admin rights, or without any further questions, if using commands 'reboot' or 'poweroff'. But 'shutdown' still requires admin rights.
What is the preferred way to restrict any regular user from rebooting / powering off the system (by accident)?
IMHO, sudo should be required for this purpose (at least in a system with shared remote access from multiple users, single-user laptops etc may be a different case)
OUCH! This seems to qualify as a CentOS bug. I confirm that a normal user can reboot or poweroff the system on 6.2. On RHEL:
$ rpm -qa redhat-release* redhat-release-server-6Server-6.2.0.3.el6.x86_64 $ poweroff poweroff: Need to be root $ reboot reboot: Need to be root
Phil
Make sure you are testing apples to apples
Test ssh access versus local console access, etc.
Got me there. The access mode does seem to be the difference. I tested from the GUI on CentOS and via ssh on RHEL. Logged on to the console in a GUI on RHEL6 a user can reboot or poweroff, and presumably also halt. Seems to be the "console user" thing. So CentOS does match upstream.
Phil
On 03/28/2012 09:47 AM, Phil Schaffner wrote:
Johnny Hughes wrote on 03/28/2012 10:26 AM:
On 03/28/2012 09:03 AM, Phil Schaffner wrote:
Timo Neuvonen wrote on 03/28/2012 09:17 AM:
I just noticed that CentOS (6.2) by default allows any user to reboot/poweroff system without any admin rights, or without any further questions, if using commands 'reboot' or 'poweroff'. But 'shutdown' still requires admin rights.
What is the preferred way to restrict any regular user from rebooting / powering off the system (by accident)?
IMHO, sudo should be required for this purpose (at least in a system with shared remote access from multiple users, single-user laptops etc may be a different case)
OUCH! This seems to qualify as a CentOS bug. I confirm that a normal user can reboot or poweroff the system on 6.2. On RHEL:
$ rpm -qa redhat-release* redhat-release-server-6Server-6.2.0.3.el6.x86_64 $ poweroff poweroff: Need to be root $ reboot reboot: Need to be root
Phil
Make sure you are testing apples to apples
Test ssh access versus local console access, etc.
Got me there. The access mode does seem to be the difference. I tested from the GUI on CentOS and via ssh on RHEL. Logged on to the console in a GUI on RHEL6 a user can reboot or poweroff, and presumably also halt. Seems to be the "console user" thing. So CentOS does match upstream.
I just did some research on this ... the files that need to be modified to change this behavior are:
/etc/pam.d/poweroff /etc/pam.d/halt /etc/pam.d/reboot
The files in CentOS are identical to upstream ... they are also identical to each other and look like this:
auth sufficient pam_rootok.so auth required pam_console.so #auth include system-auth account required pam_permit.so
I am sure those can be adjusted so console access by itself is not sufficient.
-
Bob Hoffman -
Johnny Hughes -
Phil Schaffner -
Theo Band -
Timo Neuvonen