Restricting Reboot and fsck command

sathya_css · 01-31-2017, 04:02 AM

Hi All,

Is there a way to restrict reboot & fsck command being executed during the production time ( 9.00 AM to 9.00 PM ) ?

We have a requirement as admin should be restricted executing reboot & fsck command during certain time (I mean production time).

Regards,
Sathya.R

sathya_css · 01-31-2017, 07:16 AM

Any help please

kakistocrat · 01-31-2017, 07:29 AM

(About the timing of your requests, it's polite to wait a day or so before bumping your post so that everyone has a chance to view it. We are all volunteers here so keep that in mind, too. If it's not fun or interesting, then we'll skip it.)

You'll need to read up on sudo.
Then you'll need to read up on Pluggable Authentication Modules (PAM) to do the time restriction and connect that to sudo.

There is a presentation by M W Lucas on the topic of sudo. It's worth going all the way through or getting his book "sudo Mastery":

https://www.youtube.com/watch?v=o0purspHg-o
https://www.bsdcan.org/2014/schedule...can%202014.pdf

He also has a book PAM Mastery. (No, I don't know him or get kickbacks on sales.) There is some very limited information in the pam.conf(5) manual page, but here the book will help. PAM is very much better than what it replaced but nonetheless a symptom of its time and showing its age poorly.

PS. Don't misuse sudo to give full access to that problematic admin, just give access to the handful of programs they actually need. Maybe even consider restricting which options they can use with those programs.

cynwulf · 01-31-2017, 07:30 AM

If you need to restrict an administrative user from rebooting or running fsck, then you're simply doing things wrong.

And if you need to restrict users with sudo rights from carrying out such actions, then it could be argued that you've given those rights to the wrong users in the first place.

If the users have physical access to the box, they can reboot it regardless... thus I can't really see any point in what you're trying to do.

Perhaps explain your actual problem in detail instead of asking others to implement your proposed solution for you?

TB0ne · 01-31-2017, 07:43 AM

Quote:

Originally Posted by sathya_css

Hi All,
Is there a way to restrict reboot & fsck command being executed during the production time ( 9.00 AM to 9.00 PM ) ? We have a requirement as admin should be restricted executing reboot & fsck command during certain time (I mean production time).

Agree TOTALLY with cynwulf's advice...and with Turbocapitalist about bumping your own thread after 3 hours...this may be your 'job requirement', but that doesn't mean we're your co-workers, and have to hurry up and answer you. If this is your job, then it's up to YOU to come up with a solution.

If someone has admin rights to run fsck/reboot commands, there's no way (other than SUDO) to keep them from doing it. And even then, it won't be a viable solution, no matter what. Let's say you manage to use SUDO to restrict your 'admins' away from those commands...great! So what's to stop them from just running "su - root", and running them as the real root user, WITHOUT SUDO? Changing the root password, and logging in and running them? And even if you restrict EVERYTHING between those hours...what's to stop them from adjusting the system clock, and doing as they want? Pointless.

Either your 'admins' are trustworthy and accountable, or they're not. If they're not, they don't need admin rights and can't be trusted....so fire them and hire people that can do the job.

sathya_css · 01-31-2017, 08:27 AM

@cynwulf, Thank you for your input.

First, i believe this is something where people have to think out-of box to answer. Even i know there is no standard procedure to restrict, but some geeks do by hacking ( good guys) into the binary script or find solution for a problem which normal admins can't do.

@Turbocapitalist, Thank you for your comments and links.I understand we are volunteers, my (second post) doesn't mean that i need immediate solution for the problem posted. I have asked help in a polite way, even i feel the same when i come across a problem which does not have fun in working,but this question made to google for around 6 hours to find alternate way. who knows, same type of scenario might come in this forum from others.

@TB0ne, you have to read the post properly and understand before commenting.This is not about trust, but a request raised by management for some official reasons.These types of forum are only for knowledge sharing and not to give rude comments.

Thanks again.

sathya_css · 01-31-2017, 08:31 AM

Quote:

Originally Posted by cynwulf

If you need to restrict an administrative user from rebooting or running fsck, then you're simply doing things wrong.

And if you need to restrict users with sudo rights from carrying out such actions, then it could be argued that you've given those rights to the wrong users in the first place.

If the users have physical access to the box, they can reboot it regardless... thus I can't really see any point in what you're trying to do.

Perhaps explain your actual problem in detail instead of asking others to implement your proposed solution for you?

@cynwulf, I am not asking anyone to implement proposed solution,just a general question.

TB0ne · 01-31-2017, 10:02 AM

Quote:

Originally Posted by sathya_css

@cynwulf, Thank you for your input.
First, i believe this is something where people have to think out-of box to answer. Even i know there is no standard procedure to restrict, but some geeks do by hacking ( good guys) into the binary script or find solution for a problem which normal admins can't do.

No, this is something that's totally pointless for anything besides a "what if" discussion.

Quote:

@TB0ne, you have to read the post properly and understand before commenting.This is not about trust, but a request raised by management for some official reasons.These types of forum are only for knowledge sharing and not to give rude comments.

I read it properly and understood it properly. This is TOTALLY about trust. If your management doesn't think the admins are:

Bright enough to know they shouldn't shut down a server during production
Stupid enough to do this without a REALLY good reason/approval
Can't be trusted to to know either of the first two

Then there is NOTHING that can be done from a technical standpoint. I don't care if you think it's rude or not...it's the truth. Bumping your own thread after 3 hours to get someone to do your job for you is rude too, but it certainly didn't stop you. Didn't stop you from getting advice before, either, and never responding to anyone...which is fairly rude too, isn't it?
http://www.linuxquestions.org/questi...es-4175470778/
http://www.linuxquestions.org/questi...ux-4175540423/
http://www.linuxquestions.org/questi...ld-4175540545/
http://www.linuxquestions.org/questi...ng-4175563706/

Again...these are supposedly 'admins'. They have PHYSICAL ACCESS to the servers, rendering ANYTHING you do meaningless. They can walk in and pull the power cord out, and shut down the server..putting them in a maintenance console/single user at reboot, to fsck all they want. They can reset the clock to say it's 10:30 at night, and do whatever they want. They can (as you said, "geeks do by hacking"), run fsck (again pointless...fsck on a mounted server will destroy it, basically, so going back to point 2 "Stupid enough to...").

No matter how you look at this, what you're wanting to do is both pointless and near impossible. Unless you give your 'admins' a very, VERY small subset of commands they can run, you're totally at their mercy. If your management can't figure that out, there's nothing you can do...your 'official reasons' are meaningless.

sathya_css · 01-31-2017, 10:26 AM

Quote:

Originally Posted by TB0ne

No, this is something that's totally pointless for anything besides a "what if" discussion.

I read it properly and understood it properly. This is TOTALLY about trust. If your management doesn't think the admins are:

Bright enough to know they shouldn't shut down a server during production
Stupid enough to do this without a REALLY good reason/approval
Can't be trusted to to know either of the first two

Then there is NOTHING that can be done from a technical standpoint. I don't care if you think it's rude or not...it's the truth. Bumping your own thread after 3 hours to get someone to do your job for you is rude too, but it certainly didn't stop you. Didn't stop you from getting advice before, either, and never responding to anyone...which is fairly rude too, isn't it?
http://www.linuxquestions.org/questi...es-4175470778/
http://www.linuxquestions.org/questi...ux-4175540423/
http://www.linuxquestions.org/questi...ld-4175540545/
http://www.linuxquestions.org/questi...ng-4175563706/

Again...these are supposedly 'admins'. They have PHYSICAL ACCESS to the servers, rendering ANYTHING you do meaningless. They can walk in and pull the power cord out, and shut down the server..putting them in a maintenance console/single user at reboot, to fsck all they want. They can reset the clock to say it's 10:30 at night, and do whatever they want. They can (as you said, "geeks do by hacking"), run fsck (again pointless...fsck on a mounted server will destroy it, basically, so going back to point 2 "Stupid enough to...").

No matter how you look at this, what you're wanting to do is both pointless and near impossible. Unless you give your 'admins' a very, VERY small subset of commands they can run, you're totally at their mercy. If your management can't figure that out, there's nothing you can do...your 'official reasons' are meaningless.

@TB0ne... ha ha ha ... you won ... good day.....

DavidMcCann · 01-31-2017, 10:34 AM

One further observation. Many very knowledgeable people here are very busy — that's often how they got to be knowledgeable. They just click on "zero reply threads" to see if there's anything that's proving a real challenge. When you bump your own post, you remove it from that category, and it looks as if some-one has already made a suggestion. That's not a good idea, is it?

sathya_css · 01-31-2017, 10:39 AM

Quote:

Originally Posted by DavidMcCann

One further observation. Many very knowledgeable people here are very busy — that's often how they got to be knowledgeable. They just click on "zero reply threads" to see if there's anything that's proving a real challenge. When you bump your own post, you remove it from that category, and it looks as if some-one has already made a suggestion. That's not a good idea, is it?

@DavidMcCann, thanks for you input, will ensure it never happens again.

cynwulf · 01-31-2017, 10:50 AM

Quote:

Originally Posted by sathya_css

These types of forum are only for knowledge sharing

Not only, but in essence you're correct.

If you want scripts / bespoke solutions written for you, then you need to pay for that (and as you're running RHEL, maybe use the support you're paying for while you're at it).

Habitual · 01-31-2017, 11:11 AM

See Sudo: You're doing it wrong at https://www.linuxquestions.org/quest...llected-35954/
for some "best practices" suggestions and guidelines.

TB0ne · 01-31-2017, 12:09 PM

Quote:

Originally Posted by Habitual

See Sudo: You're doing it wrong at https://www.linuxquestions.org/quest...llected-35954/
for some "best practices" suggestions and guidelines.

Good luck. The OP was pointed there before, but still doesn't seem to get that unless these 'admins' (who apparently can't be trusted not to reboot a live server without good cause, or run fsck on a mounted volume) are restricted to an incredibly small set of commands (and are locked out of the server room), that there is no real solution for their "management official reasons" request.

They don't seem to realize that:

If they can get into the server room, they can log in as root on a console and do whatever they want
If they can get into the server room, they can UNPLUG the server physically and reboot it (negating the first "official reason" of "not allowed to reboot")
If they can reboot the server they can also boot it to single-user mode and fsck anything (negating the second "official reason" of "not allowed to fsck")
That if they have ANY sort of sudo rights past a few commands, they can get in as root and do anything (negating BOTH points)
That if they have ANY sort of sudo rights past a few commands, they can reset system time to avoid the "official restrictions" on hours those things can be done (negating points 1 and 2 as before)

..which brings things full-circle to what cynwolf said, and I agree with: it's all about trust. If these 'admins' are too stupid to know not to do these things, or just don't care, then they do not need to be admins and/or have admin rights, it's that simple. But the OP says that we someone 'don't understand' these issues.

Habitual · 01-31-2017, 01:02 PM

The requirement can be met in one 30 minute discussion with "admins" during "production time."

Retool the admin, not do cartwheels around "access".

End Transmission.

Quote:

Originally Posted by sathya_css

ha ha ha

Is that the admin laugh?