Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
forbid a users ability to use the "su" command!!
in Slackware the file is /etc/sudoers
of course in Slack one of the installed packages is sudo-1***,
un-install the package and /etc/sudoers goes away, and root would have to login on CLI to do anything.
shutdown can be called from init(8) when the magic keys CTRL-ALT-DEL are pressed, by creating an appropriate entry in /etc/inittab. This means that everyone who has physical access to the console keyboard can shut the system down. To prevent this, shutdown can check to see if an authorized user is logged in on one of the virtual consoles. If shutdown is called with the -a argument (add this to the invocation of shutdown in /etc/inittab), it checks to see if the file /etc/shutdown.allow is present. It then compares the login names in that file with the list of people that are logged in on a virtual console (from /var/run/utmp). Only if one of those authorized users or root is logged in, it will proceed. Otherwise it will write the message
shutdown: no authorized users logged in
to the (physical) system console. The format of /etc/shutdown.allow is one user name per line. Empty lines and comment lines (prefixed by a #) are allowed. Currently there is a limit of 32 users in this file.
Note that if /etc/shutdown.allow is not present, the -a argument is ignored.
Sorry. My answer was assuming you were booting to a console
login prompt. I have no experiece with Redhat, so I am basing
my reply here on using Slackware.
I usually don't use runlevel 4 (GUI login), so I'm not sure how to
disable those options, but I do think it depends on what display
manager you are using (i.e. xdm, gdm, or kdm) for how you can
disable those options. So you might want to post which one you
are using. If you don't already know which one you are using,
you can find out, if Redhat is similar to Slackware, by looking in
/etc/inittab for a line starting with "x1:4:" that shows which script
runs for runlevel 4. On Slackware this is /etc/rc.d/rc.4, but I think
Redhat uses a different script. Whichever script it is, will start
whichever display manager you are using.
[Edit]Note, however, that my previous post should still disallow
anyone from rebooting via ctrl-alt-del, even under the GUI.[/Edit]
the only solution i can think of is in kde ( i don't use gnome so i wouldn't know what to do there). click on the kde control center > administration > login manager. click the administrator mode button (if not logged in as root) and enter the root password. click the sessions tab and in the dropdown list of the Allow shutdown frame where it says console, it should say everyone. choose the only root choice. click apply and close out of the session manager. if now you go to log out, it may still show those options, but the next time you log in and log out of kde, it won't.
but this only solves if the user is using kde. you'll have to figure out how to do it gnome especially if you have users using gnome.
or maybe one of the X11 session files will do this for you all in one go (?).
How can I disable users from shutting down and rebooting my system from the login screen?
If you are letting untrusted/untrained users access your system console, you cannot secure your system.
This is a feature, not a bug. A system that can't be broken into via the physical console is one that becomes useless if passwords are lost/forgotten/cracked. I've frequently broken user authentication on various systems while experimenting with software like LDAP, RADIUS, TACACS, etc. - if I couldn't break into the system from the console I'd have lost tens (if not hundreds) of thousands of my employer's dollars!
You can't really make the console secure, nor do you want to. What you might want, though, is to make rebooting difficult, so that nobody does it by accident, and train your users to use the system properly (that last bit is the *key* to success).
How are your users currently rebooting the system? Are you letting them log in as root? Are they doing the "three finger salure?" Do they just push the reset button on the case?