On 03/28/2012 09:47 AM, Phil Schaffner wrote: > Johnny Hughes wrote on 03/28/2012 10:26 AM: >> On 03/28/2012 09:03 AM, Phil Schaffner wrote: >>> Timo Neuvonen wrote on 03/28/2012 09:17 AM: >>>> I just noticed that CentOS (6.2) by default allows any user to >>>> reboot/poweroff system without any admin rights, or without any further >>>> questions, if using commands 'reboot' or 'poweroff'. But 'shutdown' still >>>> requires admin rights. >>>> >>>> What is the preferred way to restrict any regular user from rebooting / >>>> powering off the system (by accident)? >>>> >>>> IMHO, sudo should be required for this purpose (at least in a system with >>>> shared remote access from multiple users, single-user laptops etc may be a >>>> different case) >>>> >>> OUCH! This seems to qualify as a CentOS bug. I confirm that a normal >>> user can reboot or poweroff the system on 6.2. On RHEL: >>> >>> $ rpm -qa redhat-release\* >>> redhat-release-server-6Server-6.2.0.3.el6.x86_64 >>> $ poweroff >>> poweroff: Need to be root >>> $ reboot >>> reboot: Need to be root >>> >>> Phil >> Make sure you are testing apples to apples >> >> Test ssh access versus local console access, etc. >> > Got me there. The access mode does seem to be the difference. I tested > from the GUI on CentOS and via ssh on RHEL. Logged on to the console in > a GUI on RHEL6 a user can reboot or poweroff, and presumably also halt. > Seems to be the "console user" thing. So CentOS does match upstream. > I just did some research on this ... the files that need to be modified to change this behavior are: /etc/pam.d/poweroff /etc/pam.d/halt /etc/pam.d/reboot The files in CentOS are identical to upstream ... they are also identical to each other and look like this: auth sufficient pam_rootok.so auth required pam_console.so #auth include system-auth account required pam_permit.so I am sure those can be adjusted so console access by itself is not sufficient.
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos