Prevent a non-root user from shutting down, rebooting or suspend the system
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Prevent a non-root user from shutting down, rebooting or suspend the system
Hello all,
I am running redhat 5 and my question is how do I Prevent a non-root user from shutting down or rebooting the system.
most of our users either ssh or vnc to our server. either way they are able to reboot and shutdown the server . how do i prevent that?
Distribution: Ubuntu 12.04, Mint 13, RHES 5.5, RHES 6
Posts: 146
Rep:
All you have to do is remove all permissions from any user or group other than root. To do this type the following logged in as root:
Code:
chmod 750 /sbin/shutdown
The above command will remove all permissions from all users except those in the "root" users group and the administrative account "root". Typing the following at the command prompt will verify that only root has permissions to the shutdown command.
i have 1 more question. after chmod to 750 /sbin/shutdown users are not able to shutdown or reboot, however, they are still able to "suspend" the linux box throught gnome menu.."system then suspend" ..is there a way to disable "suspend" too? what is the command line to suspend the box?
for example to shutdown its /sbin/shutdown -h now
for suspend is what?
Distribution: Ubuntu 12.04, Mint 13, RHES 5.5, RHES 6
Posts: 146
Rep:
Quote:
Originally Posted by m2azer
Thank you for the reply.
i have 1 more question. after chmod to 750 /sbin/shutdown users are not able to shutdown or reboot, however, they are still able to "suspend" the linux box throught gnome menu.."system then suspend" ..is there a way to disable "suspend" too? what is the command line to suspend the box?
for example to shutdown its /sbin/shutdown -h now
for suspend is what?
Thanks again your suggestion worked perfectly
You replied before I could edit my post to include suspend .
Try the following:
Code:
chmod 750 /usr/bin/apmsleep
A really helpful command to help you find a command to do a specific task is "apropos". Try using it sometime, gets you out in a pinch.
All you have to do is remove all permissions from any user or group other than root.
Shutdown isn't the only binary you should cover. Besides that, on upgrade the permissions may be restored without warning. Besides that, the binaries are *owned* by root so executing them as unprivileged user should not work ("must be superuser" error). Also there are other ways on systems that use PAM: shutdown, reboot and halt are console applications governed by the PAM console module. Removing the "/etc/security/console.apps/{halt,reboot,poweroff}" files should work for that part. Next to that by default unprivileged users have /usr/bin in their PATH before anything else (IIRC). This means they (should) encounter /usr/bin/reboot before /sbin/reboot and /usr/bin/reboot is a symbolic link to consolehelper.
Distribution: Ubuntu 12.04, Mint 13, RHES 5.5, RHES 6
Posts: 146
Rep:
Quote:
Originally Posted by unSpawn
Shutdown isn't the only binary you should cover. Besides that, on upgrade the permissions may be restored without warning. Besides that, the binaries are *owned* by root so executing them as unprivileged user should not work ("must be superuser" error). Also there are other ways on systems that use PAM: shutdown, reboot and halt are console applications governed by the PAM console module. Removing the "/etc/security/console.apps/{halt,reboot,poweroff}" files should work for that part. Next to that by default unprivileged users have /usr/bin in their PATH before anything else (IIRC). This means they (should) encounter /usr/bin/reboot before /sbin/reboot and /usr/bin/reboot is a symbolic link to consolehelper.
I understand your points on PAM authentication and the users path in regards to the various commands in question. After reading the consolehelper man page I have a better understanding of how the links and such work. So what would you suggest as a complete solution to his problem?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.