Friday, June 20, 2003

Allowing non-root users to shutdown a Linux box.

1. As root create a group shutdown.
#addgroup shutdown

2. Put /sbin/shutdown into the group shutdown.
#chown root.shutdown /sbin/shutdown

3. Change accessrights to make /sbin/shutdown setuid and disallow
other users from executing shutdown.
#chmod 4754 /sbin/shutdown

4. Make a link from /bin/shutdown to /sbin/shutdown
#ln -s /sbin/shutdown /bin/shutdown

Now anyone belonging to the group shutdown can execute shutdown but I just will
allow the person in control of the keyboard to be able to issue the shutdown
command. You might prefer something else.

For the following to work you need to have "shadow password" installed but I
believe most have it.

5. Edit the file login.defs. Near the end of this file locate the line
#CONSOLE_GROUPS floppy:audio:cdrom
Remove the hashsign and add the group shutdown to this line and you get:
CONSOLE_GROUPS floppy:audio:cdrom:shutdown

Thats it. Everyone logged in via the console will belong to these groups so
you need not add anyone to them. I believe this is better than to just add
users to the group shutdown.

No comments: