LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-25-2008, 03:33 PM   #1
jessicaK
LQ Newbie
 
Registered: Dec 2007
Posts: 21

Rep: Reputation: 15
disable shutdown/reboot remotely


Hello!

Is there anyway to disable shutdown/reboot/halt etc commands from anyone not locally logged into the server?
 
Old 01-25-2008, 03:47 PM   #2
michaelsanford
Member
 
Registered: Feb 2005
Location: Ottawa/Montréal
Distribution: Slackware + Darwin (MacOS X)
Posts: 468

Rep: Reputation: 30
As far as I know, no direct way (like a haltrc file that allows you to restrict who can run it).

However, since you need to run shutdown as root (either as root or prefixed with sudo) you CAN change the /etc/sudoers file like so:
Code:
username localhost=/sbin/shutdown
%groupname localhost=/sbin/shutdown
This will allow them to run the specified command(s) only from localhost, and not from a remote machine over ssh. The group name is optional (as is the username), I only included it so you can see how it's used. You can just as easily specify a bunch of individual users, or a group with no individual users.

FYI: If you have a server with multiple users who all can play with the root account directly, though, you should fix that problem first

PS Make sure you don't accidentally (especially with a group specification) restrict yourself from restarting the machine remotely!

Last edited by michaelsanford; 01-25-2008 at 03:48 PM. Reason: Added PS
 
Old 01-28-2008, 07:37 AM   #3
jessicaK
LQ Newbie
 
Registered: Dec 2007
Posts: 21

Original Poster
Rep: Reputation: 15
I definately agree, trust me! Its oracle consultants that unfortunately need mostly root access until they have completed the implementation. We just have to make sure that until this is done they don't randomly reboot the server again

Thanks for your help and it's exactly what I was looking for!


Quote:
Originally Posted by michaelsanford View Post
As far as I know, no direct way (like a haltrc file that allows you to restrict who can run it).

However, since you need to run shutdown as root (either as root or prefixed with sudo) you CAN change the /etc/sudoers file like so:
Code:
username localhost=/sbin/shutdown
%groupname localhost=/sbin/shutdown
This will allow them to run the specified command(s) only from localhost, and not from a remote machine over ssh. The group name is optional (as is the username), I only included it so you can see how it's used. You can just as easily specify a bunch of individual users, or a group with no individual users.

FYI: If you have a server with multiple users who all can play with the root account directly, though, you should fix that problem first

PS Make sure you don't accidentally (especially with a group specification) restrict yourself from restarting the machine remotely!
 
Old 01-28-2008, 03:08 PM   #4
michaelsanford
Member
 
Registered: Feb 2005
Location: Ottawa/Montréal
Distribution: Slackware + Darwin (MacOS X)
Posts: 468

Rep: Reputation: 30
Well, you can restrict almost anything in this way, either whitelist or blacklist, in many different ways. Check out "man sudoers" for more information (the name of the config file itself, rather than the command).

Glad it helped!
 
Old 01-29-2008, 11:20 AM   #5
Micro420
Senior Member
 
Registered: Aug 2003
Location: Berkeley, CA
Distribution: Mac OS X Leopard 10.6.2, Windows 2003 Server/Vista/7/XP/2000/NT/98, Ubuntux64, CentOS4.8/5.4
Posts: 2,986

Rep: Reputation: 45
I'm pretty certain that you can also do this by modifying a specific PAM module. But if you can do without touching it, then don't touch it. I've locked myself out of a system before and it's not pretty

Last edited by Micro420; 01-29-2008 at 11:21 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
disable reboot/shutdown beep yiang Linux - Newbie 13 04-26-2006 11:47 PM
How to remotely shutdown a process darksoul04 Linux - Networking 6 09-11-2005 10:56 PM
Disable remote login shutdown/reboot student04 Linux - Security 1 03-06-2005 08:29 PM
Remotely reboot by an user zsolt_tuser Mandriva 7 07-10-2004 05:37 PM
Disable reboot/halt/shutdown as normal user carstenbjensen Mandriva 4 09-09-2003 11:42 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:58 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration