On Thursday 13 Jan 2005 22:47, Tony Dietrich wrote: > On Thursday 13 Jan 2005 22:30, Nick wrote: > > I have the need to enable (and make work) the shutdown and halt > > accounts. I set a password for these accounts and tried to use them and > > got the expected "you must be root" a colleague pointed out that I might > > need the CAP_SYS_BOOT capability turned on. > > Make the account you want to use for this purpose a member of the shutdown > group. Set the shutdown program to allow g+x. > I forgot a step ... make root a member of group shutdown, then #chown root.shutdown /sbin/shutdown Make /sbin/shutdown read/write/exec owner only, read/exec for group shutdown. > Add a line into the default shell rc for that user to shut the system down. > > As soon as the the user logs in, the shell rc is read (before the prompt > appears) and the shutdown will commence. Since the first thing a shutdown > does is log users out ...... > > > After an hour of Googling on > > something that relates to CAP_SYS_BOOT but it wasn't very helpful. > > I am not sure how widely used this is. If you do a man on > > "capabilities" you will find some info, but not really enough to get you > > going. There are a couple instructions which form a sort of API, but > > that is it. > > > > Anyone have this working and can give me advice on it > > > > For those of you who want to ask, why would you ever want to do this? > > > > The purpose of the built-in halt and shutdown accounts were originally > > to give someone, you trust enough to be able to know when to shutdown > > the system, but not enough to let him login, the ability to shut down a > > server. A secondary function of these was a remote shutdown that didn't > > require any thought on the users part! You gave him/her the password and > > said, "If you need to shut the machine down for any reason, telnet into > > the machine with "this" account and it will shut itself down. In this > > manner, you didn't have to give the user physical access to the server. > > > > > > > > Nix > > > > -- > > Nick Gray > > Senior Systems Engineer > > Bruzenak Inc > > Office: 512-331-7998 > > Cell: 512-630-7009 > > -- > Tony Dietrich > ------------- > Xerox your lunch and file it under "sex offenders"! -- Tony Dietrich ------------- There are three ways to get something done: (1) Do it yourself. (2) Hire someone to do it for you. (3) Forbid your kids to do it.
