On 03/28/2012 04:04 PM, Bob Hoffman wrote: > On 3/28/2012 10:03 AM, Phil Schaffner wrote: >> Timo Neuvonen wrote on 03/28/2012 09:17 AM: >>> I just noticed that CentOS (6.2) by default allows any user to >>> reboot/poweroff system without any admin rights, or without any further >>> questions, if using commands 'reboot' or 'poweroff'. But 'shutdown' still >>> requires admin rights. >>> >>> What is the preferred way to restrict any regular user from rebooting / >>> powering off the system (by accident)? >>> >>> IMHO, sudo should be required for this purpose (at least in a system with >>> shared remote access from multiple users, single-user laptops etc may be a >>> different case) >>> >> OUCH! This seems to qualify as a CentOS bug. I confirm that a normal >> user can reboot or poweroff the system on 6.2. On RHEL: >> >> $ rpm -qa redhat-release\* >> redhat-release-server-6Server-6.2.0.3.el6.x86_64 >> $ poweroff >> poweroff: Need to be root >> $ reboot >> reboot: Need to be root >> >> Phil >> >> >> _______________________________________________ >> CentOS mailing list >> CentOS at centos.org >> http://lists.centos.org/mailman/listinfo/centos >> >> > I was just reading this the other day in a book but cannot find > it...there is some command that limits this...not sure if it was just > sudo or not... > yea, that is scary > _______________________________________________ > Only console users (local users) are allowed to do that. It's configured using pam (I use Centos5.8 so forgive me if this is not the same for CentOS6). I tried to change settings in /etc/pam.d/ and that indeed works: /etc/pam.d/poweroff /etc/pam.d/reboot /etc/pam.d/halt I added as a second line : auth sufficient pam_rootok.so # prevent normal users to reboot auth required pam_deny.so .... But still the user locally logged on to the machine (gnome session) can switch it off. So I think I also missed something. Theo