Ethan Benson wrote: > > [...] > normally anyone whether anyone is logged into the console or not can > press control alt delete and reboot the system (if you have that line > in inittab) adding shutdown.allow changes this so that > control-alt-delete only works when a listed user is logged into any of > the console ttys. if none are logged in then control-alt-delete is > disabled. > [...]
Ah, I see: 'shutdown.allow' is used for making rebooting more restrictive - I thought I could use it for enabling mere mortals to execute the halting of the system. > > Now when I type 'shutdown -a -h now' it still tells me, I have to be > > root. It looks like I have to set a SUID-flag. But I would prefer a > > better solution. Otherwise: What would 'shutdown.allow' be good for? > > you could do two different things: > > add a group `shutdown' and add any authorised users to this group and > do a chgrp shutdown /sbin/shutdown && chmod 4754 /sbin/shutdown. or > use sudo. > > i highly reccomend sudo over making shutdown suid. making shutdown > suid allows users in that group to call shutdown with whatever > arguments they want, which is not a good thing. > > with sudo you can give specific users the ability to run ONLY > "shutdown -h now" with only those exact arguments and no other. > > then you would run instead: > > sudo shutdown -h now > > here is the relevant lines to put in /etc/sudoers (use visudo): > > Cmnd_Alias SHUTDOWN=/sbin/shutdown -h now > Cmnd_Alias REBOOT=/sbin/shutdown -r now > > username hostname=SHUTDOWN,REBOOT > > or if you don't want the user password to be required: > > username hostname=NOPASSWD: SHUTDOWN,REBOOT Thank you very much, Mr. Benson - 'sudo' works just fine. > just be sure to use visudo to edit sudoers it will check your syntax > properly. if you don't like the editor it runs (probably vi) then > export EDITOR=whatever I am definitely a vi fan and I had no problems with editing 'sudoers'. Best regards, Andreas.
