LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - General (https://www.linuxquestions.org/questions/linux-general-1/)
-   -   Using visudo to allow non-root users to shut down the system (https://www.linuxquestions.org/questions/linux-general-1/using-visudo-to-allow-non-root-users-to-shut-down-the-system-4175641184/)

usernameatdomain 10-26-2018 09:32 AM
Using visudo to allow non-root users to shut down the system
 
I am running CentOS 6 in a virtual machine and I want to know if it is possible to use visudo to allow non-root users to use the poweroff, shutdown, and reboot commands.
I think the relevant line from /etc/sudoers is
Code:
%users  localhost=/sbin/shutdown -h now
I want a user named david to be able to shut down and reboot the system, so I entered usermod -aG users david as root. The groups david command shows
Code:
david : david users
When I enter sudo shutdown -h now as david it says that david is not allowed to run sudo. Eventually I would like to allow the users group to use the poweroff and reboot commands in /etc/sudoers without a password, but I thought I would first try the default configuration in /etc/sudoers that allows members of the users group to use sudo shutdown -h now.
I became curious about this because I also run CentOS 7 in a virtual machine and I can run poweroff, shutdown, and reboot as a non-root user without modifying /etc/sudoers. I do not know how much this has to do with systemd because I also have a virtual machine with Debian 9 and I have the same results with visudo as CentOS 6.

pan64 10-26-2018 10:42 AM
It looks like you allowed to execute "/sbin/shutdown -h now" as it is. Did you try if that works?

dc.901 10-26-2018 10:46 AM
As the user david, what is output of following commands:

Code:
id
sudo -l

Turbocapitalist 10-26-2018 11:03 AM
The hostname may be a problem.

If nothing else works, try it with a hammer:

Code:
%users ALL=(root:root) /bin/shutdown -h now, /bin/shutdown -h [0-9][0-9]\:[0-9][0-9]

usernameatdomain 10-26-2018 11:57 AM
Quote:
Originally Posted by pan64 (Post 5919433)
It looks like you allowed to execute "/sbin/shutdown -h now" as it is. Did you try if that works?
It says
Code:
shutdown: Need to be root

usernameatdomain 10-26-2018 12:07 PM
Quote:
Originally Posted by dc.901 (Post 5919435)
As the user david, what is output of following commands:

Code:
id
sudo -l
id
Code:
uid=500(david) gid=500(david) groups=500(david),100(users) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
sudo -l
Code:
Sorry, user david may not run sudo on centos6.

TB0ne 10-26-2018 12:19 PM
Quote:
Originally Posted by usernameatdomain (Post 5919458)
id
Code:
uid=500(david) gid=500(david) groups=500(david),100(users) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
sudo -l
Code:
Sorry, user david may not run sudo on centos6.
Without seeing your sudoer's file, I'd guess the problem is in there, based on your posts. A good number of 'default' sudoers files will have sudo restricted to members of the "wheel" group...is that the case on your system?

usernameatdomain 10-26-2018 12:33 PM
Quote:
Originally Posted by Turbocapitalist (Post 5919440)
The hostname may be a problem.

If nothing else works, try it with a hammer:

Code:
%users ALL=(root:root) /bin/shutdown -h now, /bin/shutdown -h [0-9][0-9]\:[0-9][0-9]
I solved the problem. The hostname was the problem. My hostname on my CentOS 6 virtual machine is centos6, so I changed
Code:
%users  localhost=/sbin/shutdown -h now
to
Code:
%users  centos6=/sbin/shutdown -h now

pan64 10-26-2018 01:14 PM
It is really great you could solve it.
Just one comment: localhost is always the current (local) host where you logged in, so probably you made some other changes too...

usernameatdomain 10-26-2018 03:08 PM
Quote:
Originally Posted by pan64 (Post 5919488)
It is really great you could solve it.
Just one comment: localhost is always the current (local) host where you logged in, so probably you made some other changes too...
I think the only relevant change I made was making my hostname centos6 instead using the default hostname called localhost. If I used localhost as my hostname on my CentOS 6 virtual machine I would not have had this problem, but this was an interesting learning experience. I thought localhost in the context of /etc/sudoers meant the 127.0.0.1 loopback address, but it refers to the literal hostname "localhost". I did a Google search for "/etc/sudoers hostname" (without quotes) and I found a thread on the Ubuntu Forums that explained how to configure /etc/sudoers.


All times are GMT -5. The time now is 06:36 AM.