LinuxQuestions.org - Prevent a non-root user from shutting down, rebooting or suspend the system

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - Prevent a non-root user from shutting down, rebooting or suspend the system (https://www.linuxquestions.org/questions/linux-security-4/prevent-a-non-root-user-from-shutting-down-rebooting-or-suspend-the-system-594372/)

Prevent a non-root user from shutting down, rebooting or suspend the system

Hello all,

I am running redhat 5 and my question is how do I Prevent a non-root user from shutting down or rebooting the system.
most of our users either ssh or vnc to our server. either way they are able to reboot and shutdown the server . how do i prevent that?

Thanks

All you have to do is remove all permissions from any user or group other than root. To do this type the following logged in as root:

Code:

chmod 750 /sbin/shutdown

The above command will remove all permissions from all users except those in the "root" users group and the administrative account "root". Typing the following at the command prompt will verify that only root has permissions to the shutdown command.

Code:

ll /sbin/shutdown

Code:

-rwxr-x--- 1 root root 43492 2007-09-16 22:14 /sbin/shutdown

This should do the trick.

Thank you for the reply.

i have 1 more question. after chmod to 750 /sbin/shutdown users are not able to shutdown or reboot, however, they are still able to "suspend" the linux box throught gnome menu.."system then suspend" ..is there a way to disable "suspend" too? what is the command line to suspend the box?
for example to shutdown its /sbin/shutdown -h now
for suspend is what?

Thanks again your suggestion worked perfectly

Quote:

Originally Posted by m2azer (Post 2935839)

You replied before I could edit my post to include suspend :).
Try the following:

Code:

chmod 750 /usr/bin/apmsleep

A really helpful command to help you find a command to do a specific task is "apropos". Try using it sometime, gets you out in a pinch.

Thank you so much - apropos is really a great command to use.

Thanks

Quote:

Originally Posted by bullium (Post 2935819)

All you have to do is remove all permissions from any user or group other than root.

Shutdown isn't the only binary you should cover. Besides that, on upgrade the permissions may be restored without warning. Besides that, the binaries are *owned* by root so executing them as unprivileged user should not work ("must be superuser" error). Also there are other ways on systems that use PAM: shutdown, reboot and halt are console applications governed by the PAM console module. Removing the "/etc/security/console.apps/{halt,reboot,poweroff}" files should work for that part. Next to that by default unprivileged users have /usr/bin in their PATH before anything else (IIRC). This means they (should) encounter /usr/bin/reboot before /sbin/reboot and /usr/bin/reboot is a symbolic link to consolehelper.

Quote:

Originally Posted by unSpawn (Post 2937309)

I understand your points on PAM authentication and the users path in regards to the various commands in question. After reading the consolehelper man page I have a better understanding of how the links and such work. So what would you suggest as a complete solution to his problem?