I have Mandrake 10.0 and a user rebooted the system remotely. I have tried to halt the system remotely with a normal user and it doesn't work. It says it must be superuser. Do you have any idea how is that possible? And also how can i find the process who called shutdown? Any reply would be apreciated.

A few questions:

Is your root password secure?

Are you allowing remote users to login as root (configuration issue somewhere---I can't remember exactly what file)?

Are you using a display manager which, when accessed remotely, allows for the machine to be shut down (check your GDM setup if that's what you use)?

Is the user in question able to use sudo or su?

I'm sure there are other possibilites, but I can't remember them at present.

Good luck,

Henry
]

My root password is secure.
Users are allowed to login as root remotely.
The user can do su, but i'm sure he doesn't know the password.
Here is a relevant part of /var/log/messages

Jul 8 16:30:17 irimie sshd(pam_unix)[21663]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=pd9e8937a.dip0.t-ipconnect.de user=alex
Jul 8 16:30:45 irimie kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC= SRC=192.168.69.1 DST=192.168.69.255 LEN=152 TOS=0x00 PREC=0x00 TTL=64 ID=1727 DF PROTO=UDP SPT=631 DPT=631 LEN=132
Jul 8 16:30:46 irimie sshd[21663]: Failed password for alex from 217.232.147.122 port 33195 ssh2
Jul 8 16:30:50 irimie sshd[21663]: Accepted password for alex from 217.232.147.122 port 33195 ssh2
Jul 8 16:30:50 irimie sshd(pam_unix)[21665]: session opened for user alex by (uid=500)
Jul 8 16:31:01 irimie CROND[21706]: (root) CMD (nice -n 19 run-parts /etc/cron.min)
Jul 8 16:31:01 irimie CROND[21705]: (root) MAIL (mailed 273 bytes of output but got status 0xffffffff )
Jul 8 16:31:16 irimie kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC= SRC=192.168.69.1 DST=192.168.69.255 LEN=152 TOS=0x00 PREC=0x00 TTL=64 ID=1728 DF PROTO=UDP SPT=631 DPT=631 LEN=132
Jul 8 16:31:47 irimie kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC= SRC=192.168.69.1 DST=192.168.69.255 LEN=152 TOS=0x00 PREC=0x00 TTL=64 ID=1729 DF PROTO=UDP SPT=631 DPT=631 LEN=132
Jul 8 16:32:00 irimie CROND[21756]: (root) CMD (nice -n 19 run-parts /etc/cron.min)
Jul 8 16:32:00 irimie CROND[21755]: (root) MAIL (mailed 273 bytes of output but got status 0xffffffff )
Jul 8 16:32:18 irimie kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC= SRC=192.168.69.1 DST=192.168.69.255 LEN=152 TOS=0x00 PREC=0x00 TTL=64 ID=1730 DF PROTO=UDP SPT=631 DPT=631 LEN=132
Jul 8 16:32:49 irimie kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC= SRC=192.168.69.1 DST=192.168.69.255 LEN=152 TOS=0x00 PREC=0x00 TTL=64 ID=1731 DF PROTO=UDP SPT=631 DPT=631 LEN=132
Jul 8 16:32:49 irimie shutdown: shutting down for system reboot
Jul 8 16:32:49 irimie init: Switching to runlevel: 6

User alex loged in, but there is no su. If he would've made su then it should have been in the log.
And then rebooted the system as user alex.

the command to shutdown is

poweroff


Sorry, but I can't help you with your rebooting problem. I just type
reboot in the console and it reboots for me, whether I'm in root mode or not.

I can reboot from the console with any user too, but not remotely. Remotely should work only with root!

Does anybody know if there is a possibility to find out the process who called shutdown? Thanks.

Do you absolutely need to be able to reboot the machine remotely? If so, why do the users need that capability? Also, what need do you have to allow root remote login access?

Another question: Is your display manager presenting a greeter to remote graphical login terminals that allows for the system to be shut down and/or rebooted?

My recommendations:

1) remove remote root access capability
2) double check your remote greeter to make sure reboots and shutdowns are disallowed
3) remove user capability to shutdown/reboot the system

IMHO, system shutdowns and reboots are only necessary from the console.

Viel Glueck,

Henry

The users don't have the capability to reboot the machine remotely. Only root can. That's why I can't understand how was able an user to reboot the machine remotely. I don't absolutely need to be able to login as root remotely because I can login with normal user and then switch with su, but I don't think that this is my problem. I don't have a remote greeter. I read a thread about Mandrake 10 randomly rebooting. Do you think that this could be my case also?