[CentOS] How to restrict reboot/poweroff from non-admins?
theo.band at greenpeak.com
Wed Mar 28 14:15:50 UTC 2012
On 03/28/2012 04:04 PM, Bob Hoffman wrote:
> On 3/28/2012 10:03 AM, Phil Schaffner wrote:
>> Timo Neuvonen wrote on 03/28/2012 09:17 AM:
>>> I just noticed that CentOS (6.2) by default allows any user to
>>> reboot/poweroff system without any admin rights, or without any further
>>> questions, if using commands 'reboot' or 'poweroff'. But 'shutdown' still
>>> requires admin rights.
>>> What is the preferred way to restrict any regular user from rebooting /
>>> powering off the system (by accident)?
>>> IMHO, sudo should be required for this purpose (at least in a system with
>>> shared remote access from multiple users, single-user laptops etc may be a
>>> different case)
>> OUCH! This seems to qualify as a CentOS bug. I confirm that a normal
>> user can reboot or poweroff the system on 6.2. On RHEL:
>> $ rpm -qa redhat-release\*
>> $ poweroff
>> poweroff: Need to be root
>> $ reboot
>> reboot: Need to be root
>> CentOS mailing list
>> CentOS at centos.org
> I was just reading this the other day in a book but cannot find
> it...there is some command that limits this...not sure if it was just
> sudo or not...
> yea, that is scary
Only console users (local users) are allowed to do that. It's configured
using pam (I use Centos5.8 so forgive me if this is not the same for
CentOS6). I tried to change settings in /etc/pam.d/ and that indeed works:
I added as a second line :
auth sufficient pam_rootok.so
# prevent normal users to reboot
auth required pam_deny.so
But still the user locally logged on to the machine (gnome session) can
switch it off. So I think I also missed something.
More information about the CentOS