LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 10-24-2007, 07:54 PM   #1
m2azer
Member
 
Registered: Sep 2004
Location: USA
Distribution: red hat, fedora & centos
Posts: 202

Rep: Reputation: 30
Prevent a non-root user from shutting down, rebooting or suspend the system


Hello all,

I am running redhat 5 and my question is how do I Prevent a non-root user from shutting down or rebooting the system.
most of our users either ssh or vnc to our server. either way they are able to reboot and shutdown the server . how do i prevent that?

Thanks
 
Old 10-24-2007, 08:39 PM   #2
bullium
Member
 
Registered: Aug 2003
Location: Ohio
Distribution: Ubuntu 12.04, Mint 13, RHES 5.5, RHES 6
Posts: 146

Rep: Reputation: 17
All you have to do is remove all permissions from any user or group other than root. To do this type the following logged in as root:
Code:
chmod 750 /sbin/shutdown
The above command will remove all permissions from all users except those in the "root" users group and the administrative account "root". Typing the following at the command prompt will verify that only root has permissions to the shutdown command.
Code:
ll /sbin/shutdown
Code:
-rwxr-x--- 1 root root 43492 2007-09-16 22:14 /sbin/shutdown
This should do the trick.
 
Old 10-24-2007, 09:11 PM   #3
m2azer
Member
 
Registered: Sep 2004
Location: USA
Distribution: red hat, fedora & centos
Posts: 202

Original Poster
Rep: Reputation: 30
Thank you for the reply.

i have 1 more question. after chmod to 750 /sbin/shutdown users are not able to shutdown or reboot, however, they are still able to "suspend" the linux box throught gnome menu.."system then suspend" ..is there a way to disable "suspend" too? what is the command line to suspend the box?
for example to shutdown its /sbin/shutdown -h now
for suspend is what?


Thanks again your suggestion worked perfectly
 
Old 10-24-2007, 09:23 PM   #4
bullium
Member
 
Registered: Aug 2003
Location: Ohio
Distribution: Ubuntu 12.04, Mint 13, RHES 5.5, RHES 6
Posts: 146

Rep: Reputation: 17
Quote:
Originally Posted by m2azer View Post
Thank you for the reply.

i have 1 more question. after chmod to 750 /sbin/shutdown users are not able to shutdown or reboot, however, they are still able to "suspend" the linux box throught gnome menu.."system then suspend" ..is there a way to disable "suspend" too? what is the command line to suspend the box?
for example to shutdown its /sbin/shutdown -h now
for suspend is what?


Thanks again your suggestion worked perfectly
You replied before I could edit my post to include suspend .
Try the following:
Code:
chmod 750 /usr/bin/apmsleep
A really helpful command to help you find a command to do a specific task is "apropos". Try using it sometime, gets you out in a pinch.
 
Old 10-24-2007, 09:57 PM   #5
m2azer
Member
 
Registered: Sep 2004
Location: USA
Distribution: red hat, fedora & centos
Posts: 202

Original Poster
Rep: Reputation: 30
Smile

Thank you so much - apropos is really a great command to use.


Thanks
 
Old 10-25-2007, 10:03 AM   #6
bullium
Member
 
Registered: Aug 2003
Location: Ohio
Distribution: Ubuntu 12.04, Mint 13, RHES 5.5, RHES 6
Posts: 146

Rep: Reputation: 17
No problem.
 
Old 10-26-2007, 02:16 AM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,534
Blog Entries: 51

Rep: Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603
Quote:
Originally Posted by bullium View Post
All you have to do is remove all permissions from any user or group other than root.
Shutdown isn't the only binary you should cover. Besides that, on upgrade the permissions may be restored without warning. Besides that, the binaries are *owned* by root so executing them as unprivileged user should not work ("must be superuser" error). Also there are other ways on systems that use PAM: shutdown, reboot and halt are console applications governed by the PAM console module. Removing the "/etc/security/console.apps/{halt,reboot,poweroff}" files should work for that part. Next to that by default unprivileged users have /usr/bin in their PATH before anything else (IIRC). This means they (should) encounter /usr/bin/reboot before /sbin/reboot and /usr/bin/reboot is a symbolic link to consolehelper.
 
Old 10-30-2007, 08:15 AM   #8
bullium
Member
 
Registered: Aug 2003
Location: Ohio
Distribution: Ubuntu 12.04, Mint 13, RHES 5.5, RHES 6
Posts: 146

Rep: Reputation: 17
Quote:
Originally Posted by unSpawn View Post
Shutdown isn't the only binary you should cover. Besides that, on upgrade the permissions may be restored without warning. Besides that, the binaries are *owned* by root so executing them as unprivileged user should not work ("must be superuser" error). Also there are other ways on systems that use PAM: shutdown, reboot and halt are console applications governed by the PAM console module. Removing the "/etc/security/console.apps/{halt,reboot,poweroff}" files should work for that part. Next to that by default unprivileged users have /usr/bin in their PATH before anything else (IIRC). This means they (should) encounter /usr/bin/reboot before /sbin/reboot and /usr/bin/reboot is a symbolic link to consolehelper.
I understand your points on PAM authentication and the users path in regards to the various commands in question. After reading the consolehelper man page I have a better understanding of how the links and such work. So what would you suggest as a complete solution to his problem?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to prevent root user from logging into ssh linuxjamil Linux - Server 2 10-08-2007 06:10 PM
FTP Server: Prevent user from getting out of their root directory Swakoo Linux - General 4 03-02-2007 01:42 AM
how to prevent from Ctrl+Alt+Del rebooting acaj5 Linux - Newbie 2 06-09-2006 04:47 AM
shutting down and rebooting from logout screen doralsoral Linux - Software 2 06-08-2005 01:07 PM
X Display problems for user (and not root) after suspend mode Rukhin Linux - Laptop and Netbook 3 03-10-2004 08:31 PM


All times are GMT -5. The time now is 05:48 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration