Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
(About the timing of your requests, it's polite to wait a day or so before bumping your post so that everyone has a chance to view it. We are all volunteers here so keep that in mind, too. If it's not fun or interesting, then we'll skip it.)
You'll need to read up on sudo.
Then you'll need to read up on Pluggable Authentication Modules (PAM) to do the time restriction and connect that to sudo.
There is a presentation by M W Lucas on the topic of sudo. It's worth going all the way through or getting his book "sudo Mastery":
He also has a book PAM Mastery. (No, I don't know him or get kickbacks on sales.) There is some very limited information in the pam.conf(5) manual page, but here the book will help. PAM is very much better than what it replaced but nonetheless a symptom of its time and showing its age poorly.
If you need to restrict an administrative user from rebooting or running fsck, then you're simply doing things wrong.
And if you need to restrict users with sudo rights from carrying out such actions, then it could be argued that you've given those rights to the wrong users in the first place.
If the users have physical access to the box, they can reboot it regardless... thus I can't really see any point in what you're trying to do.
Perhaps explain your actual problem in detail instead of asking others to implement your proposed solution for you?
Hi All,
Is there a way to restrict reboot & fsck command being executed during the production time ( 9.00 AM to 9.00 PM ) ? We have a requirement as admin should be restricted executing reboot & fsck command during certain time (I mean production time).
Agree TOTALLY with cynwulf's advice...and with Turbocapitalist about bumping your own thread after 3 hours...this may be your 'job requirement', but that doesn't mean we're your co-workers, and have to hurry up and answer you. If this is your job, then it's up to YOU to come up with a solution.
If someone has admin rights to run fsck/reboot commands, there's no way (other than SUDO) to keep them from doing it. And even then, it won't be a viable solution, no matter what. Let's say you manage to use SUDO to restrict your 'admins' away from those commands...great! So what's to stop them from just running "su - root", and running them as the real root user, WITHOUT SUDO? Changing the root password, and logging in and running them? And even if you restrict EVERYTHING between those hours...what's to stop them from adjusting the system clock, and doing as they want? Pointless.
Either your 'admins' are trustworthy and accountable, or they're not. If they're not, they don't need admin rights and can't be trusted....so fire them and hire people that can do the job.
First, i believe this is something where people have to think out-of box to answer. Even i know there is no standard procedure to restrict, but some geeks do by hacking ( good guys) into the binary script or find solution for a problem which normal admins can't do.
@Turbocapitalist, Thank you for your comments and links.I understand we are volunteers, my (second post) doesn't mean that i need immediate solution for the problem posted. I have asked help in a polite way, even i feel the same when i come across a problem which does not have fun in working,but this question made to google for around 6 hours to find alternate way. who knows, same type of scenario might come in this forum from others.
@TB0ne, you have to read the post properly and understand before commenting.This is not about trust, but a request raised by management for some official reasons.These types of forum are only for knowledge sharing and not to give rude comments.
If you need to restrict an administrative user from rebooting or running fsck, then you're simply doing things wrong.
And if you need to restrict users with sudo rights from carrying out such actions, then it could be argued that you've given those rights to the wrong users in the first place.
If the users have physical access to the box, they can reboot it regardless... thus I can't really see any point in what you're trying to do.
Perhaps explain your actual problem in detail instead of asking others to implement your proposed solution for you?
@cynwulf, I am not asking anyone to implement proposed solution,just a general question.
@cynwulf, Thank you for your input.
First, i believe this is something where people have to think out-of box to answer. Even i know there is no standard procedure to restrict, but some geeks do by hacking ( good guys) into the binary script or find solution for a problem which normal admins can't do.
No, this is something that's totally pointless for anything besides a "what if" discussion.
Quote:
@TB0ne, you have to read the post properly and understand before commenting.This is not about trust, but a request raised by management for some official reasons.These types of forum are only for knowledge sharing and not to give rude comments.
I read it properly and understood it properly. This is TOTALLY about trust. If your management doesn't think the admins are:
Bright enough to know they shouldn't shut down a server during production
Stupid enough to do this without a REALLY good reason/approval
Can't be trusted to to know either of the first two
Again...these are supposedly 'admins'. They have PHYSICAL ACCESS to the servers, rendering ANYTHING you do meaningless. They can walk in and pull the power cord out, and shut down the server..putting them in a maintenance console/single user at reboot, to fsck all they want. They can reset the clock to say it's 10:30 at night, and do whatever they want. They can (as you said, "geeks do by hacking"), run fsck (again pointless...fsck on a mounted server will destroy it, basically, so going back to point 2 "Stupid enough to...").
No matter how you look at this, what you're wanting to do is both pointless and near impossible. Unless you give your 'admins' a very, VERY small subset of commands they can run, you're totally at their mercy. If your management can't figure that out, there's nothing you can do...your 'official reasons' are meaningless.
Again...these are supposedly 'admins'. They have PHYSICAL ACCESS to the servers, rendering ANYTHING you do meaningless. They can walk in and pull the power cord out, and shut down the server..putting them in a maintenance console/single user at reboot, to fsck all they want. They can reset the clock to say it's 10:30 at night, and do whatever they want. They can (as you said, "geeks do by hacking"), run fsck (again pointless...fsck on a mounted server will destroy it, basically, so going back to point 2 "Stupid enough to...").
No matter how you look at this, what you're wanting to do is both pointless and near impossible. Unless you give your 'admins' a very, VERY small subset of commands they can run, you're totally at their mercy. If your management can't figure that out, there's nothing you can do...your 'official reasons' are meaningless.
One further observation. Many very knowledgeable people here are very busy — that's often how they got to be knowledgeable. They just click on "zero reply threads" to see if there's anything that's proving a real challenge. When you bump your own post, you remove it from that category, and it looks as if some-one has already made a suggestion. That's not a good idea, is it?
One further observation. Many very knowledgeable people here are very busy — that's often how they got to be knowledgeable. They just click on "zero reply threads" to see if there's anything that's proving a real challenge. When you bump your own post, you remove it from that category, and it looks as if some-one has already made a suggestion. That's not a good idea, is it?
@DavidMcCann, thanks for you input, will ensure it never happens again.
These types of forum are only for knowledge sharing
Not only, but in essence you're correct.
If you want scripts / bespoke solutions written for you, then you need to pay for that (and as you're running RHEL, maybe use the support you're paying for while you're at it).
Good luck. The OP was pointed there before, but still doesn't seem to get that unless these 'admins' (who apparently can't be trusted not to reboot a live server without good cause, or run fsck on a mounted volume) are restricted to an incredibly small set of commands (and are locked out of the server room), that there is no real solution for their "management official reasons" request.
They don't seem to realize that:
If they can get into the server room, they can log in as root on a console and do whatever they want
If they can get into the server room, they can UNPLUG the server physically and reboot it (negating the first "official reason" of "not allowed to reboot")
If they can reboot the server they can also boot it to single-user mode and fsck anything (negating the second "official reason" of "not allowed to fsck")
That if they have ANY sort of sudo rights past a few commands, they can get in as root and do anything (negating BOTH points)
That if they have ANY sort of sudo rights past a few commands, they can reset system time to avoid the "official restrictions" on hours those things can be done (negating points 1 and 2 as before)
..which brings things full-circle to what cynwolf said, and I agree with: it's all about trust. If these 'admins' are too stupid to know not to do these things, or just don't care, then they do not need to be admins and/or have admin rights, it's that simple. But the OP says that we someone 'don't understand' these issues.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
