[SLUG] shutdown: you must be root to do that!
Gavin Baker
gav at supercowpowers.org
Thu Aug 21 12:45:03 BST 2003
Q: How do you give permission to shutdown(8) the machine to regular
users?
Without patching the shutdown code to either link it to libpam or check
your UID/GID, there are 2 simple ways.
Option 1: SUID ROOT
On debian, a distro which hates setuid root anything, /sbin/shutdown's
default permissions are -rwxr-xr-x. If we make it setuid root
$ chmod u+s /sbin/shutdown (giving -rwsr-xr-x)
anyone and everyone can run /sbin/shutdown, and it will run as root. So
everyone can shutdown the machine (ouch).
If we only want users from a special group to be able to execute it, we
can just make it only executable by the owner and group
$ chmod g-wrx /sbin/shutdown (giving -rwsr-x---)
and then change the group owner to our special group. Debian has an adm
group, which seems appropriate. (but we could just create a new
shutdown, or wheel group of course).
$ chown root.adm /sbin/shutdown
-rwsr-x--- 1 root adm 16632 2002-05-28 12:27 /sbin/shutdown
So anyone we want to let shutdown the machine, we can just add to the
adm group.
$ adduser fred adm
Options 2: sudo
If you use sudo, then
fred ALL=(root) /sbin/shutdown
in your sudoers file would let the user fred run shutdown as root.
Without setuid root'ing anything! You can change "fred" for "%adm" or
"%shutdown" to indicate a member of that %group.
sudo logs everything and doesn't need you to change any file
permissions.
I guess the distro's that do allow anyone to shutdown the machine use
setuid root binaries. Not as elegant as sudo, but they both work.
Gav
(ps, based on a conversation with Al)
--
Gavin Baker <gav at supercowpowers.org>
More information about the Scarborough
mailing list