[CentOS] Wrapper script for shutdown, passwd, etc. commands
Leon Fauster
leonfauster at googlemail.com
Mon Jul 13 15:03:10 UTC 2015
Am 13.07.2015 um 16:47 schrieb Kwan Lowe <kwan.lowe at gmail.com>:
> On Mon, Jul 13, 2015 at 10:21 AM, Jonathan Billings <billings at negate.org>
> wrote:
>
>> Are you saying that this is an interactive process on the system? I'd
>> suggest you make sure this isn't some sort of email ticket that stores
>> a password or emails it.
>>
>
> Thanks for the reply. I'm thinking that the password would only be there
> to confirm. It would not be stored but would possibly leverage PAM.
>
>
>> You could probably use 'sudo' to handle the part of authenticating the
>> user, and run a very limited service that queried a secure system for
>> approval and initiated the shutdown.
>>
>
> sudo was a possibility.. However, I want to this specifically for folks
> with root access so sudo's checks won't work.
>
> This is for two reasons: Audit requirements and as a second check for the
> admin. We've had a couple instances recently where the admin did work on
> the wrong server. Though i don't see any way to totally lock it down for
> someone with root access, I want to make it at least give some sort of
> warning.
If your need is to be sure that the admin work on the right system,
then I suggest to put something explicitly into /etc/motd (man motd).
If your work policy allows "folks" to work directly as root, then
everything can be circumvented, saying that to suggest something
totally trivial: aliases
cat /etc/profile.d/local.sh
alias shutdown='/usr/local/sbin/wrapper-shutdown'
thought
--
LF
More information about the CentOS
mailing list