LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 01-31-2017, 04:02 AM   #1
sathya_css
LQ Newbie
 
Registered: Jun 2013
Location: India
Distribution: Redhat 6
Posts: 24

Rep: Reputation: Disabled
Restricting Reboot and fsck command


Hi All,

Is there a way to restrict reboot & fsck command being executed during the production time ( 9.00 AM to 9.00 PM ) ?

We have a requirement as admin should be restricted executing reboot & fsck command during certain time (I mean production time).

Regards,
Sathya.R
 
Old 01-31-2017, 07:16 AM   #2
sathya_css
LQ Newbie
 
Registered: Jun 2013
Location: India
Distribution: Redhat 6
Posts: 24

Original Poster
Rep: Reputation: Disabled
Any help please
 
Old 01-31-2017, 07:29 AM   #3
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,670
Blog Entries: 3

Rep: Reputation: 2904Reputation: 2904Reputation: 2904Reputation: 2904Reputation: 2904Reputation: 2904Reputation: 2904Reputation: 2904Reputation: 2904Reputation: 2904Reputation: 2904
(About the timing of your requests, it's polite to wait a day or so before bumping your post so that everyone has a chance to view it. We are all volunteers here so keep that in mind, too. If it's not fun or interesting, then we'll skip it.)

You'll need to read up on sudo.
Then you'll need to read up on Pluggable Authentication Modules (PAM) to do the time restriction and connect that to sudo.

There is a presentation by M W Lucas on the topic of sudo. It's worth going all the way through or getting his book "sudo Mastery":

https://www.youtube.com/watch?v=o0purspHg-o
https://www.bsdcan.org/2014/schedule...can%202014.pdf

He also has a book PAM Mastery. (No, I don't know him or get kickbacks on sales.) There is some very limited information in the pam.conf(5) manual page, but here the book will help. PAM is very much better than what it replaced but nonetheless a symptom of its time and showing its age poorly.

PS. Don't misuse sudo to give full access to that problematic admin, just give access to the handful of programs they actually need. Maybe even consider restricting which options they can use with those programs.

Last edited by Turbocapitalist; 01-31-2017 at 07:31 AM.
 
1 members found this post helpful.
Old 01-31-2017, 07:30 AM   #4
cynwulf
Senior Member
 
Registered: Apr 2005
Location: Walsall, UK
Posts: 2,642
Blog Entries: 7

Rep: Reputation: 2167Reputation: 2167Reputation: 2167Reputation: 2167Reputation: 2167Reputation: 2167Reputation: 2167Reputation: 2167Reputation: 2167Reputation: 2167Reputation: 2167
If you need to restrict an administrative user from rebooting or running fsck, then you're simply doing things wrong.

And if you need to restrict users with sudo rights from carrying out such actions, then it could be argued that you've given those rights to the wrong users in the first place.

If the users have physical access to the box, they can reboot it regardless... thus I can't really see any point in what you're trying to do.

Perhaps explain your actual problem in detail instead of asking others to implement your proposed solution for you?

Last edited by cynwulf; 01-31-2017 at 07:31 AM.
 
3 members found this post helpful.
Old 01-31-2017, 07:43 AM   #5
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 23,932

Rep: Reputation: 7023Reputation: 7023Reputation: 7023Reputation: 7023Reputation: 7023Reputation: 7023Reputation: 7023Reputation: 7023Reputation: 7023Reputation: 7023Reputation: 7023
Quote:
Originally Posted by sathya_css View Post
Hi All,
Is there a way to restrict reboot & fsck command being executed during the production time ( 9.00 AM to 9.00 PM ) ? We have a requirement as admin should be restricted executing reboot & fsck command during certain time (I mean production time).
Agree TOTALLY with cynwulf's advice...and with Turbocapitalist about bumping your own thread after 3 hours...this may be your 'job requirement', but that doesn't mean we're your co-workers, and have to hurry up and answer you. If this is your job, then it's up to YOU to come up with a solution.

If someone has admin rights to run fsck/reboot commands, there's no way (other than SUDO) to keep them from doing it. And even then, it won't be a viable solution, no matter what. Let's say you manage to use SUDO to restrict your 'admins' away from those commands...great! So what's to stop them from just running "su - root", and running them as the real root user, WITHOUT SUDO? Changing the root password, and logging in and running them? And even if you restrict EVERYTHING between those hours...what's to stop them from adjusting the system clock, and doing as they want? Pointless.

Either your 'admins' are trustworthy and accountable, or they're not. If they're not, they don't need admin rights and can't be trusted....so fire them and hire people that can do the job.
 
Old 01-31-2017, 08:27 AM   #6
sathya_css
LQ Newbie
 
Registered: Jun 2013
Location: India
Distribution: Redhat 6
Posts: 24

Original Poster
Rep: Reputation: Disabled
@cynwulf, Thank you for your input.

First, i believe this is something where people have to think out-of box to answer. Even i know there is no standard procedure to restrict, but some geeks do by hacking ( good guys) into the binary script or find solution for a problem which normal admins can't do.


@Turbocapitalist, Thank you for your comments and links.I understand we are volunteers, my (second post) doesn't mean that i need immediate solution for the problem posted. I have asked help in a polite way, even i feel the same when i come across a problem which does not have fun in working,but this question made to google for around 6 hours to find alternate way. who knows, same type of scenario might come in this forum from others.

@TB0ne, you have to read the post properly and understand before commenting.This is not about trust, but a request raised by management for some official reasons.These types of forum are only for knowledge sharing and not to give rude comments.

Thanks again.
 
Old 01-31-2017, 08:31 AM   #7
sathya_css
LQ Newbie
 
Registered: Jun 2013
Location: India
Distribution: Redhat 6
Posts: 24

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by cynwulf View Post
If you need to restrict an administrative user from rebooting or running fsck, then you're simply doing things wrong.

And if you need to restrict users with sudo rights from carrying out such actions, then it could be argued that you've given those rights to the wrong users in the first place.

If the users have physical access to the box, they can reboot it regardless... thus I can't really see any point in what you're trying to do.

Perhaps explain your actual problem in detail instead of asking others to implement your proposed solution for you?
@cynwulf, I am not asking anyone to implement proposed solution,just a general question.
 
Old 01-31-2017, 10:02 AM   #8
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 23,932

Rep: Reputation: 7023Reputation: 7023Reputation: 7023Reputation: 7023Reputation: 7023Reputation: 7023Reputation: 7023Reputation: 7023Reputation: 7023Reputation: 7023Reputation: 7023
Quote:
Originally Posted by sathya_css View Post
@cynwulf, Thank you for your input.
First, i believe this is something where people have to think out-of box to answer. Even i know there is no standard procedure to restrict, but some geeks do by hacking ( good guys) into the binary script or find solution for a problem which normal admins can't do.
No, this is something that's totally pointless for anything besides a "what if" discussion.
Quote:
@TB0ne, you have to read the post properly and understand before commenting.This is not about trust, but a request raised by management for some official reasons.These types of forum are only for knowledge sharing and not to give rude comments.
I read it properly and understood it properly. This is TOTALLY about trust. If your management doesn't think the admins are:
  1. Bright enough to know they shouldn't shut down a server during production
  2. Stupid enough to do this without a REALLY good reason/approval
  3. Can't be trusted to to know either of the first two
Then there is NOTHING that can be done from a technical standpoint. I don't care if you think it's rude or not...it's the truth. Bumping your own thread after 3 hours to get someone to do your job for you is rude too, but it certainly didn't stop you. Didn't stop you from getting advice before, either, and never responding to anyone...which is fairly rude too, isn't it?
http://www.linuxquestions.org/questi...es-4175470778/
http://www.linuxquestions.org/questi...ux-4175540423/
http://www.linuxquestions.org/questi...ld-4175540545/
http://www.linuxquestions.org/questi...ng-4175563706/


Again...these are supposedly 'admins'. They have PHYSICAL ACCESS to the servers, rendering ANYTHING you do meaningless. They can walk in and pull the power cord out, and shut down the server..putting them in a maintenance console/single user at reboot, to fsck all they want. They can reset the clock to say it's 10:30 at night, and do whatever they want. They can (as you said, "geeks do by hacking"), run fsck (again pointless...fsck on a mounted server will destroy it, basically, so going back to point 2 "Stupid enough to...").

No matter how you look at this, what you're wanting to do is both pointless and near impossible. Unless you give your 'admins' a very, VERY small subset of commands they can run, you're totally at their mercy. If your management can't figure that out, there's nothing you can do...your 'official reasons' are meaningless.

Last edited by TB0ne; 01-31-2017 at 10:08 AM.
 
1 members found this post helpful.
Old 01-31-2017, 10:26 AM   #9
sathya_css
LQ Newbie
 
Registered: Jun 2013
Location: India
Distribution: Redhat 6
Posts: 24

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by TB0ne View Post
No, this is something that's totally pointless for anything besides a "what if" discussion.

I read it properly and understood it properly. This is TOTALLY about trust. If your management doesn't think the admins are:
  1. Bright enough to know they shouldn't shut down a server during production
  2. Stupid enough to do this without a REALLY good reason/approval
  3. Can't be trusted to to know either of the first two
Then there is NOTHING that can be done from a technical standpoint. I don't care if you think it's rude or not...it's the truth. Bumping your own thread after 3 hours to get someone to do your job for you is rude too, but it certainly didn't stop you. Didn't stop you from getting advice before, either, and never responding to anyone...which is fairly rude too, isn't it?
http://www.linuxquestions.org/questi...es-4175470778/
http://www.linuxquestions.org/questi...ux-4175540423/
http://www.linuxquestions.org/questi...ld-4175540545/
http://www.linuxquestions.org/questi...ng-4175563706/


Again...these are supposedly 'admins'. They have PHYSICAL ACCESS to the servers, rendering ANYTHING you do meaningless. They can walk in and pull the power cord out, and shut down the server..putting them in a maintenance console/single user at reboot, to fsck all they want. They can reset the clock to say it's 10:30 at night, and do whatever they want. They can (as you said, "geeks do by hacking"), run fsck (again pointless...fsck on a mounted server will destroy it, basically, so going back to point 2 "Stupid enough to...").

No matter how you look at this, what you're wanting to do is both pointless and near impossible. Unless you give your 'admins' a very, VERY small subset of commands they can run, you're totally at their mercy. If your management can't figure that out, there's nothing you can do...your 'official reasons' are meaningless.



@TB0ne... ha ha ha ... you won ... good day.....
 
Old 01-31-2017, 10:34 AM   #10
DavidMcCann
LQ Veteran
 
Registered: Jul 2006
Location: London
Distribution: PCLinuxOS, Debian
Posts: 5,790

Rep: Reputation: 2153Reputation: 2153Reputation: 2153Reputation: 2153Reputation: 2153Reputation: 2153Reputation: 2153Reputation: 2153Reputation: 2153Reputation: 2153Reputation: 2153
One further observation. Many very knowledgeable people here are very busy — that's often how they got to be knowledgeable. They just click on "zero reply threads" to see if there's anything that's proving a real challenge. When you bump your own post, you remove it from that category, and it looks as if some-one has already made a suggestion. That's not a good idea, is it?
 
Old 01-31-2017, 10:39 AM   #11
sathya_css
LQ Newbie
 
Registered: Jun 2013
Location: India
Distribution: Redhat 6
Posts: 24

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by DavidMcCann View Post
One further observation. Many very knowledgeable people here are very busy — that's often how they got to be knowledgeable. They just click on "zero reply threads" to see if there's anything that's proving a real challenge. When you bump your own post, you remove it from that category, and it looks as if some-one has already made a suggestion. That's not a good idea, is it?
@DavidMcCann, thanks for you input, will ensure it never happens again.
 
Old 01-31-2017, 10:50 AM   #12
cynwulf
Senior Member
 
Registered: Apr 2005
Location: Walsall, UK
Posts: 2,642
Blog Entries: 7

Rep: Reputation: 2167Reputation: 2167Reputation: 2167Reputation: 2167Reputation: 2167Reputation: 2167Reputation: 2167Reputation: 2167Reputation: 2167Reputation: 2167Reputation: 2167
Quote:
Originally Posted by sathya_css View Post
These types of forum are only for knowledge sharing
Not only, but in essence you're correct.

If you want scripts / bespoke solutions written for you, then you need to pay for that (and as you're running RHEL, maybe use the support you're paying for while you're at it).
 
1 members found this post helpful.
Old 01-31-2017, 11:11 AM   #13
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
See Sudo: You're doing it wrong at https://www.linuxquestions.org/quest...llected-35954/
for some "best practices" suggestions and guidelines.
 
Old 01-31-2017, 12:09 PM   #14
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 23,932

Rep: Reputation: 7023Reputation: 7023Reputation: 7023Reputation: 7023Reputation: 7023Reputation: 7023Reputation: 7023Reputation: 7023Reputation: 7023Reputation: 7023Reputation: 7023
Quote:
Originally Posted by Habitual View Post
See Sudo: You're doing it wrong at https://www.linuxquestions.org/quest...llected-35954/
for some "best practices" suggestions and guidelines.
Good luck. The OP was pointed there before, but still doesn't seem to get that unless these 'admins' (who apparently can't be trusted not to reboot a live server without good cause, or run fsck on a mounted volume) are restricted to an incredibly small set of commands (and are locked out of the server room), that there is no real solution for their "management official reasons" request.

They don't seem to realize that:
  • If they can get into the server room, they can log in as root on a console and do whatever they want
  • If they can get into the server room, they can UNPLUG the server physically and reboot it (negating the first "official reason" of "not allowed to reboot")
  • If they can reboot the server they can also boot it to single-user mode and fsck anything (negating the second "official reason" of "not allowed to fsck")
  • That if they have ANY sort of sudo rights past a few commands, they can get in as root and do anything (negating BOTH points)
  • That if they have ANY sort of sudo rights past a few commands, they can reset system time to avoid the "official restrictions" on hours those things can be done (negating points 1 and 2 as before)
..which brings things full-circle to what cynwolf said, and I agree with: it's all about trust. If these 'admins' are too stupid to know not to do these things, or just don't care, then they do not need to be admins and/or have admin rights, it's that simple. But the OP says that we someone 'don't understand' these issues.
 
Old 01-31-2017, 01:02 PM   #15
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
The requirement can be met in one 30 minute discussion with "admins" during "production time."

Retool the admin, not do cartwheels around "access".

End Transmission.

Quote:
Originally Posted by sathya_css View Post
ha ha ha
Is that the admin laugh?

Last edited by Habitual; 01-31-2017 at 03:57 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
"fsck failed. Please repair manually and reboot" on OpenSUSE 11.4 –gone after reboot? muohta SUSE / openSUSE 1 07-17-2014 01:52 PM
How to fsck a SAN on reboot anon091 Linux - Server 4 04-12-2013 04:16 AM
[SOLVED] how to bypass fsck at reboot anon091 Linux - Newbie 2 07-23-2010 05:17 AM
Cant reboot. Inode, fsck? fedoraguy Linux - Newbie 1 08-13-2004 03:20 PM
Redhat 9: restricting reboot/shutdown from login screen jsf03723 Linux - Distributions 7 06-20-2003 10:33 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 04:39 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration