Am 13.07.2015 um 16:47 schrieb Kwan Lowe <kwan.lowe at gmail.com>: > On Mon, Jul 13, 2015 at 10:21 AM, Jonathan Billings <billings at negate.org> > wrote: > >> Are you saying that this is an interactive process on the system? I'd >> suggest you make sure this isn't some sort of email ticket that stores >> a password or emails it. >> > > Thanks for the reply. I'm thinking that the password would only be there > to confirm. It would not be stored but would possibly leverage PAM. > > >> You could probably use 'sudo' to handle the part of authenticating the >> user, and run a very limited service that queried a secure system for >> approval and initiated the shutdown. >> > > sudo was a possibility.. However, I want to this specifically for folks > with root access so sudo's checks won't work. > > This is for two reasons: Audit requirements and as a second check for the > admin. We've had a couple instances recently where the admin did work on > the wrong server. Though i don't see any way to totally lock it down for > someone with root access, I want to make it at least give some sort of > warning. If your need is to be sure that the admin work on the right system, then I suggest to put something explicitly into /etc/motd (man motd). If your work policy allows "folks" to work directly as root, then everything can be circumvented, saying that to suggest something totally trivial: aliases cat /etc/profile.d/local.sh alias shutdown='/usr/local/sbin/wrapper-shutdown' thought -- LF