Re: temporary su login
On Fri, Sep 07, 2007 at 06:43:33AM +, [EMAIL PROTECTED] wrote: Tamouh wrote: Robin Becker wrote: My collocation supplier is about to move our FreeBSD box and wants some way to shut it down cleanly. Is there a simple way to allow a non-root user to have shutdown rights without just giving them the world. At present I don't even allow login via ssh on that box ie it's purely key based. What I would do is develop a script (owned by root ) and callable by everybody which then checks the user-id of its caller, and if it is an acceptable one, the script will issue a warning (to wall) and then shutdown the system. why not ask them to do CTRL+ALT+DEL which will reboot the server cleanly and once it hit does the intial reset, turn it off. Yes, CTRL+ALT+DEL will reboot the server cleanly, but it does not shutdown the previous session nicely, it shuts it down catastrophically, and it can be done by anyone with access to the system keyboard. Robin asked for a way to allow one specific non-root user to be able to shutdown the system. Actually it will do a clean shutdown if your hardware supports it. But, assuming this not available, then check our 'sudo'. It is in the ports. With it you can create a command that can only be run by one id. You do not have to give that id root priviledge or the ability to run any other command. In fact, by manipulating the user's shell, you can create a login account that can only run that command and then go away/logout.The sudo utility starts up when the command you created is executed. It checks the user id it is running under and if you want, it can ask for further authentication. If the command that the user is attempting to run is acceptable, then it will execute that command for the user.In the sudo configuration file you can create a list of system commands a particular id is allowed to run. But watch and see if your CTRL-ALT-DEL causes a regular shutdown or crashes it down. jerry ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: temporary su login
Tamouh wrote: Robin Becker wrote: My collocation supplier is about to move our FreeBSD box and wants some way to shut it down cleanly. Is there a simple way to allow a non-root user to have shutdown rights without just giving them the world. At present I don't even allow login via ssh on that box ie it's purely key based. What I would do is develop a script (owned by root ) and callable by everybody which then checks the user-id of its caller, and if it is an acceptable one, the script will issue a warning (to wall) and then shutdown the system. why not ask them to do CTRL+ALT+DEL which will reboot the server cleanly and once it hit does the intial reset, turn it off. Yes, CTRL+ALT+DEL will reboot the server cleanly, but it does not shutdown the previous session nicely, it shuts it down catastrophically, and it can be done by anyone with access to the system keyboard. Robin asked for a way to allow one specific non-root user to be able to shutdown the system. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: temporary su login
Robin Becker wrote: My collocation supplier is about to move our FreeBSD box and wants some way to shut it down cleanly. Is there a simple way to allow a non-root user to have shutdown rights without just giving them the world. At present I don't even allow login via ssh on that box ie it's purely key based. What I would do is develop a script (owned by root ) and callable by everybody which then checks the user-id of its caller, and if it is an acceptable one, the script will issue a warning (to wall) and then shutdown the system. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: temporary su login
Robin Becker wrote: My collocation supplier is about to move our FreeBSD box and wants some way to shut it down cleanly. Is there a simple way to allow a non-root user to have shutdown rights without just giving them the world. At present I don't even allow login via ssh on that box ie it's purely key based. What I would do is develop a script (owned by root ) and callable by everybody which then checks the user-id of its caller, and if it is an acceptable one, the script will issue a warning (to wall) and then shutdown the system. why not ask them to do CTRL+ALT+DEL which will reboot the server cleanly and once it hit does the intial reset, turn it off. Tamouh ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: temporary su login
On Sep 5, 2007, at 11:37 AM, Robin Becker wrote: My collocation supplier is about to move our FreeBSD box and wants some way to shut it down cleanly. Is there a simple way to allow a non-root user to have shutdown rights without just giving them the world. At present I don't even allow login via ssh on that box ie it's purely key based. -- Robin Becker look @ sudo in the ports ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: temporary su login
Robin Becker wrote: My collocation supplier is about to move our FreeBSD box and wants some way to shut it down cleanly. Is there a simple way to allow a non-root user to have shutdown rights without just giving them the world. At present I don't even allow login via ssh on that box ie it's purely key based. I'm wondering how would you want to change a system to which you don't have access? Or did I misunderstood something? Bahman ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: temporary su login
After installing sudo read sudoers.sample (/usr/local/etc/sudoers.sample) - Original Message From: Robin Becker [EMAIL PROTECTED] To: freebsd-questions@freebsd.org Sent: Wednesday, September 5, 2007 6:37:51 PM Subject: temporary su login My collocation supplier is about to move our FreeBSD box and wants some way to shut it down cleanly. Is there a simple way to allow a non-root user to have shutdown rights without just giving them the world. At present I don't even allow login via ssh on that box ie it's purely key based. -- Robin Becker ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Be a better Globetrotter. Get better travel answers from someone who knows. Yahoo! Answers - Check it out. http://answers.yahoo.com/dir/?link=listsid=396545469 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: temporary su login
-rwxr-xr-x 1 root operator 15728 30 pa# 2006 /sbin/shutdown chmod 4710 /sbin/shutdown and add user to operator group On Wed, 5 Sep 2007, Robin Becker wrote: My collocation supplier is about to move our FreeBSD box and wants some way to shut it down cleanly. Is there a simple way to allow a non-root user to have shutdown rights without just giving them the world. At present I don't even allow login via ssh on that box ie it's purely key based. -- Robin Becker ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: temporary su login
On Wednesday 05 September 2007 18:50:21 Bahman M. wrote: Robin Becker wrote: At present I don't even allow login via ssh on that box ie it's purely key based. I'm wondering how would you want to change a system to which you don't have access? Or did I misunderstood something? He's using ssh pub/private keys - not hashed system passwords, so no passwords (even if hashed form) travels the network. And yes, sudo is the way to go. -- Mel People using reply to all on lists, must think I need 2 copies. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: temporary su login
Mel wrote: On Wednesday 05 September 2007 18:50:21 Bahman M. wrote: Robin Becker wrote: At present I don't even allow login via ssh on that box ie it's purely key based. I'm wondering how would you want to change a system to which you don't have access? Or did I misunderstood something? He's using ssh pub/private keys - not hashed system passwords, so no passwords (even if hashed form) travels the network. You're right! I don't know why but I thought by key based he meant keyboard based, i.e. no net access! Should have read the question more carefully. Bahman ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: temporary su login
On Sep 5, 2007, at 10:37 AMSep 5, 2007, Robin Becker wrote: My collocation supplier is about to move our FreeBSD box and wants some way to shut it down cleanly. Is there a simple way to allow a non-root user to have shutdown rights without just giving them the world. At present I don't even allow login via ssh on that box ie it's purely key based. I'm sure nobody will mention this, so I will. On most systems with support ACPI, your colo provider can simply press the power button on the front of your server. FreeBSD's kernel will pick up the signal and shut down cleanly. Once you're moved, they can press the same button to power the system on. There is *NO* need to give them login access to the box. Also, they could simply call you to have you shut it down. - Eric F Crist Secure Computing Networks ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: temporary su login
Eric Crist wrote: I'm sure nobody will mention this, so I will. On most systems with support ACPI, your colo provider can simply press the power button on the front of your server. FreeBSD's kernel will pick up the signal and shut down cleanly. Once you're moved, they can press the same button to power the system on. There is *NO* need to give them login access to the box. Also, they could simply call you to have you shut it down. .. many good ideas; thanks. I guess since they ask for an ip based mechanism that I'll create a special user in the operator group and do the chmod trick on shutdown. -- Robin Becker ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: temporary su login
Robin Becker wrote: Eric Crist wrote: I'm sure nobody will mention this, so I will. On most systems with support ACPI, your colo provider can simply press the power button on the front of your server. FreeBSD's kernel will pick up the signal and shut down cleanly. Once you're moved, they can press the same button to power the system on. There is *NO* need to give them login access to the box. Also, they could simply call you to have you shut it down. .. many good ideas; thanks. I guess since they ask for an ip based mechanism that I'll create a special user in the operator group and do the chmod trick on shutdown. In truth, I thought this was the worst idea of 'em all (sorry to whoever posted it...). Group operator can read all your disks - it was created in the days when there really was an operator who did stuff like backups. Put yourself in it by all means, but give that to a stranger? Not me... To add to the solutions, you could create a user in group operator with a new ssh key that specifically executed shutdown, since you use ssh keys already. I'd still take it away the moment the box was moved. Or just set their shell to shutdown. But no general purpose login. Also, on my system, shutdown already is in group operator, but maybe I just did it by hand and forgot. 10 -r-sr-x--- 1 root operator - 10200 Sep 30 2006 /sbin/shutdown* --Alex ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]