Re: Halt user, Shutdown user and CAP_SYS_BOOT

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thursday 13 Jan 2005 22:47, Tony Dietrich wrote:
> On Thursday 13 Jan 2005 22:30, Nick wrote:
> > I have the need to enable (and make work) the shutdown and halt
> > accounts. I set a password for these accounts and tried to use them and
> > got the expected "you must be root" a colleague pointed out that I might
> > need the CAP_SYS_BOOT capability turned on.
>
> Make the account you want to use for this purpose a member of the shutdown
> group. Set the shutdown program to allow g+x.
>
I forgot a step ... make root a member of group shutdown, then
#chown root.shutdown /sbin/shutdown

Make /sbin/shutdown read/write/exec owner only, read/exec for group shutdown.

> Add a line into the default shell rc for that user to shut the system down.
>
> As soon as the the user logs in, the shell rc is read (before the prompt
> appears) and the shutdown will commence.  Since the first thing a shutdown
> does is log users out ......
>
> > After an hour of Googling on
> > something that relates to CAP_SYS_BOOT but it wasn't very helpful.
> > I am not sure how widely used this is. If you do a man on
> > "capabilities" you will find some info, but not really enough to get you
> > going. There are a couple instructions which form a sort of API, but
> > that is it.
> >
> > Anyone have this working and can give me advice on it
> >
> > For those of you who want to ask, why would you ever want to do this?
> >
> > The purpose of the built-in halt and shutdown accounts were originally
> > to give someone, you trust enough to be able to know when to shutdown
> > the system, but not enough to let him login, the ability to shut down a
> > server. A secondary function of these was a remote shutdown that didn't
> > require any thought on the users part! You gave him/her the password and
> > said, "If you need to shut the machine down for any reason, telnet into
> > the machine with "this" account and it will shut itself down. In this
> > manner, you didn't have to give the user physical access to the server.
> >
> >
> >
> > Nix
> >
> > --
> > Nick Gray
> > Senior Systems Engineer
> > Bruzenak Inc
> > Office: 512-331-7998
> > Cell: 512-630-7009
>
> --
> Tony Dietrich
> -------------
> Xerox your lunch and file it under "sex offenders"!

-- 
Tony Dietrich
-------------
There are three ways to get something done:
	(1) Do it yourself.
	(2) Hire someone to do it for you.
	(3) Forbid your kids to do it.


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux