[CentOS] How to restrict reboot/poweroff from non-admins?

Thu Mar 29 13:36:57 UTC 2012
Theo Band <theo.band at greenpeak.com>

On 03/28/2012 09:38 PM, Timo Neuvonen wrote:
>> Only console users (local users) are allowed to do that. It's configured
>> using pam (I use Centos5.8 so forgive me if this is not the same for
>> CentOS6). I tried to change settings in /etc/pam.d/ and that indeed works:
>>
>> /etc/pam.d/poweroff
>> /etc/pam.d/reboot
>> /etc/pam.d/halt
>>
>> I added as a second line :
>> auth       sufficient   pam_rootok.so
>> # prevent normal users to reboot
>> auth       required     pam_deny.so
>> ....
>>
>> But still the user locally logged on to the machine (gnome session) can
>> switch it off. So I think I also missed something.
> I can't test it right now, but reading 'man pam.d' made me wonder if
> 'required'  in the 'auth required pam_deny.so' in the example above
> should be replaced with  'requisite'.
>
Both methods should work. With requisite the following checks are not
done anymore (it fails right away). But even if the other tests succeed
(after a failing required) the final judgement is still "fail". It a way
not to tell the reason authentication fails. This makes it a little bit
more difficult for an attacker.

Note that shutdown is not in the list of pam enabled applications. So a
user cannot poweroff, but he can still shutdown :-(
I read that /etc/shutdown.allow controls shutdown but I don't understand
what the gnome desktop actually calls. Apparently it is not
poweroff/reboot/halt.

Anyone knows how to properly prevent any non root user (console and
remote) for powering off a machine?

I need this only for desktop users that switch of their machine by
accident. The machine is used as part of a compute grid as well.

Theo