LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - General (https://www.linuxquestions.org/questions/linux-general-1/)
-   -   How to allow non-root user to shutdown (https://www.linuxquestions.org/questions/linux-general-1/how-to-allow-non-root-user-to-shutdown-4175521889/)

Nick_C 10-12-2014 04:56 PM
How to allow non-root user to shutdown
 
Can anyone tell me how I can allow a non-root user to use the shutdown command in CentOS 7?

I am currently shutting down the machine remotely which is working fine as 'root' but I would prefer to create a new user say 'remoteshutdown' to use for this instead of root.

Problem is I cannot seem to find out how to allow a non root user permission to shutdown.

Thanks,

schneidz 10-12-2014 05:03 PM
run visudo as root.

Nick_C 10-13-2014 08:32 AM
Quote:
Originally Posted by schneidz (Post 5252840)
run visudo as root.
Yep, looked at that but I understood that only affects commands run through sudo. I want to shutdown machine remotely and do not want to have to include root password in batch/script file.

schneidz 10-13-2014 08:44 AM
Code:
[schneidz@mom ~]$ sudo visudo
...
## Allows people in group wheel to run all commands
#%wheel ALL=(ALL)      ALL

## Same thing without a password
 %wheel ALL=(ALL)      NOPASSWD: ALL

## Allows members of the users group to shutdown this system
# %users  localhost=/sbin/shutdown -h now
...

John VV 10-13-2014 04:54 PM
that should already be the default setup
to allow users to run
Code:
shutdown -h
now for a remote ( ssh /vpn ) power off or reboot
THAT SHOULD be only root

timl 10-13-2014 05:34 PM
Just a clarification

Quote:
I want to shutdown machine remotely and do not want to have to include root password in batch/script file.
Once a user has sudo rights that user can achieve root privileges by issuing the sudo command. When that user issues the sudo command they type in their password and not the root password. So, after typing:

Quote:
sudo cat /var/log/yum.log
that user will be asked for their password not the root password

Nick_C 10-14-2014 07:56 AM
Quote:
Originally Posted by schneidz (Post 5253104)
Code:
[schneidz@mom ~]$ sudo visudo
...
## Allows people in group wheel to run all commands
#%wheel ALL=(ALL)      ALL

## Same thing without a password
 %wheel ALL=(ALL)      NOPASSWD: ALL

## Allows members of the users group to shutdown this system
# %users  localhost=/sbin/shutdown -h now
...
Tried that but now get error:
Code:
Could not chdir to home directory wheel: No such file or directory
bash: shutdown: command not found

pan64 10-14-2014 08:03 AM
what have you tried? It has no meaning just drop an error message:
/sbin/shutdown -h now is configured in that configfile, that should be entered/executed.
shutdown normally not found, because it is in /sbin and /sbin is not in PATH (for general users).

schneidz 10-14-2014 08:39 AM
copy-pasta the output of:
Code:
[schneidz@mom ~]$ sudo cat /etc/sudoers
so someone has a starting point to debug. also what is the exact command that resulted in the above error message ?

Nick_C 10-14-2014 08:44 AM
visudo:
Code:
...
## Allows people in group wheel to run all commands
#%wheel ALL=(ALL)      ALL

## Same thing without a password
%wheel ALL=(ALL)      NOPASSWD: ALL

## Allows members of the users group to shutdown this system
%users  localhost=/sbin/shutdown -h now
%wheel  localhost=/sbin/shutdown -h now
...
User remoteshutdown added to both users & wheel groups.

Running "shutdown -h now" remotely returns error:
Code:
Could not chdir to home directory wheel: No such file or directory
bash: shutdown: command not found
Running "sudo shutdown -h now" remotely returns error:
Code:
Could not chdir to home directory wheel: No such file or directory
sudo: sorry, you must have a tty to run sudo

schneidz 10-14-2014 08:57 AM
just for shiggles can you try running it like:
Code:
sudo /sbin/shutdown -h now
# and
sudo /usr/sbin/shutdown -h now
also, maybe there isnt a a homedir for that user. does
Code:
cat /etc/passwd | grep remoteshutdown
provide anything useful ?

Nick_C 10-14-2014 09:47 AM
Quote:
Originally Posted by schneidz (Post 5253619)
Code:
sudo /sbin/shutdown -h now
# and
sudo /usr/sbin/shutdown -h now
both fail with:
Code:
Could not chdir to home directory wheel: No such file or directory
sudo: sorry, you must have a tty to run sudo
Quote:
Originally Posted by schneidz (Post 5253619)
Code:
cat /etc/passwd | grep remoteshutdown
returns:
Code:
remoteshutdown:x:1002:1003::wheel:/bin/bash

schneidz 10-14-2014 10:01 AM
the users home-directory looks weird (wheel) ?

Nick_C 10-14-2014 10:21 AM
Quote:
Originally Posted by schneidz (Post 5253653)
the users home-directory looks weird (wheel) ?
Don't know what went wrong there, user now deleted and recreated.
cat /etc/passwd | grep remoteshutdown returns
Code:
remoteshutdown:x:1002:1005::/home/remoteshutdown:/bin/bash

schneidz 10-14-2014 10:27 AM
i think you are good to retry... its probably gonnna' ask for a passwd. i think you need to put that NOPASSWD directive somewhere on that line in visudo... i am not a visudo expert so you will need to experiment a little.

also i think there is a way to disable the need of a tty for using sudo with ssh but makes things a little less secure.

Nick_C 10-15-2014 06:36 AM
Running "shutdown -h now" remotely returns error.
Quote:
bash: shutdown: command not found
Running "sudo shutdown -h now" remotely returns error:
Code:
sudo: sorry, you must have a tty to run sudo
"/sbin/shutdown -h now" and "/usr/sbin/shutdown -h now" both return same error:
Code:
Failed to issue method call: Access denied
Must be root

schneidz 10-15-2014 09:28 AM
i'm curious:
Code:
sudo /sbin/shutdown -h now
# or sudo /usr/sbin/shutdown -h now
?

also, what happens when you log in via ssh then run the commands using sudo (also try with specifying the path).

Nick_C 10-15-2014 11:49 AM
Quote:
Originally Posted by schneidz (Post 5254133)
i'm curious:
Code:
sudo /sbin/shutdown -h now
# or sudo /usr/sbin/shutdown -h now
?

also, what happens when you log in via ssh then run the commands using sudo (also try with specifying the path).
  • Logon to SSH as remoteshutdown
  • shutdown /h now
Code:
Authentication is required for powering off the system.
Authenticationg as: <DifferentUser>
Edit:
Have now found a way to make 'remoteshutdown' an Administrator which it was not before. This has changed things slightly, running from SSH /usr/sbin/shutdown -h now
Code:
Authentication is required for powering off the system.
Multiple identities can be used for authentication:
1 . <DifferentUser>
2 . remoteshutdown
Choose identity to authenticate as

ReaperX7 10-15-2014 12:55 PM
Does your distribution use ConsoleKit or logind for session management?

Nick_C 10-15-2014 02:20 PM
Quote:
Originally Posted by ReaperX7 (Post 5254203)
Does your distribution use ConsoleKit or logind for session management?
No idea, using CentOS 7.0

schneidz 10-15-2014 02:27 PM
Quote:
Originally Posted by schneidz (Post 5254133)
also, what happens when you log in via ssh then run the commands using sudo (also try with specifying the path).
i.e.-
Code:
ssh remoteshutdown@host
sudo /usr/sbin/shutdown -h now

Nick_C 10-15-2014 03:20 PM
Quote:
Originally Posted by schneidz (Post 5254252)
i.e.-
Code:
ssh remoteshutdown@host
sudo /usr/sbin/shutdown -h now
ssh remoteshutdown@n.n.n.n
Code:
The authenticity of host 'n.n.n.n' can't be established.  ECDSA key fingerprint is ...... Are you sure you want to continue connecting (yes/no)?  Answer 'yes'
now logs-in ok

sudo /usr/sbin/shutdown -h now
Shuts-down server ok

Run batch file
plink.exe -ssh -pw <password> remoteshutdown@n.n.n.n "/sbin/shutdown -h now"
Error:
Code:
Failed to issue method call: Access denied
Must be root.

schneidz 10-15-2014 03:27 PM
Quote:
Originally Posted by Nick_C (Post 5254287)
ssh remoteshutdown@n.n.n.n
The authenticity of host 'n.n.n.n' can't be established. ECDSA key fingerprint is ...... Are you sure you want to continue connecting (yes/no)? Answer 'yes'
now logs-in ok

sudo /usr/sbin/shutdown -h now
Shuts-down server ok
good so you added permission for remoteshutdown to run that command via visudo (did it prompt for a password ?).

so now are you trying to make it so that remoteshutdown can shutdown the server via something like:
Code:
ssh remoteshutdown@n.n.n.n sudo /usr/sbin/shutdown -h now
i think sudo requires someone to be logged in for security reasons (there may be a way to disable that) ?

Nick_C 10-15-2014 03:33 PM
Quote:
Originally Posted by schneidz (Post 5254290)
i think sudo requires someone to be logged in for security reasons (there may be a way to disable that) ?
Which is why I was not sure that sudo is the correct way of doing this, I had hoped that there would have been a simpler way of doing this like changing the group on the shutdown command or something like that.

schneidz 10-15-2014 03:58 PM
that mite work. what does
Code:
which shutdown
ll /sbin/shutdown /usr/sbin/shutdown
look like ?

Nick_C 10-16-2014 09:37 AM
Quote:
Originally Posted by schneidz (Post 5254306)
that mite work. what does
Code:
which shutdown
ll /sbin/shutdown /usr/sbin/shutdown
look like ?
which shutdown
Code:
/usr/sbin/shutdown
ll /sbin/shutdown /usr/sbin/shutdown
Code:
lrwxrwxrwx. 1 root root 16 Sep 25 16:11 /sbin/shutdown -> ../bin/systemctl
lrwxrwxrwx. 1 root root 16 Sep 25 16:11 /usr/sbin/shutdown -> ../bin/systemctl
Does that help

schneidz 10-16-2014 09:40 AM
i would be concerned with changing permissions on the systemctl program becuz then remoteshutdown would be allowed to do other things like restart sshd, httpd, mysqld, ...

schneidz 10-16-2014 09:50 AM
this mite help:
http://maymay.net/blog/2010/03/17/ho...cing-security/

Nick_C 10-16-2014 10:20 AM
Code:
chmod +s /sbin/shutdown
then plink line works fine without any of this sudoers complication
Code:
plink.exe -ssh -pw <password> remoteshutdown@n.n.n.n "/sbin/shutdown -h now"
Simples

Thanks for all your help with this

schneidz 10-16-2014 10:27 AM
thanks for sharing your solution. my suggestion would be to use keys instead of writing down the passwd.

if it is solved please select resolved under thread tools.


All times are GMT -5. The time now is 07:06 PM.