This works. cd /usr/src/selinux-src && cp shutdown /usr/sbin/ chown shutdown:root /usr/sbin/shutdown chmod 750 /usr/sbin/shutdown chmod 4760 /sbin/shutdown usermod -s /usr/sbin/shutdown usermod -d /usr/sbin usermod -l reboot -s /usr/sbin/reboot -d /usr/sbin halt cp reboot /usr/sbin/ chown shutdown:root /usr/sbin/reboot chmod 750 /usr/sbin/reboot AND a cat of /usr/sbin/shutdown is #!/bin/bash /sbin/shutdown -h now AND a cat of /usr/sbin/reboot is #!/bin/bash /sbin/shutdown -r now On Thu, 2005-01-13 at 22:57 +0000, Tony Dietrich wrote: > On Thursday 13 Jan 2005 22:47, Tony Dietrich wrote: > > On Thursday 13 Jan 2005 22:30, Nick wrote: > > > I have the need to enable (and make work) the shutdown and halt > > > accounts. I set a password for these accounts and tried to use them and > > > got the expected "you must be root" a colleague pointed out that I might > > > need the CAP_SYS_BOOT capability turned on. > > > > Make the account you want to use for this purpose a member of the shutdown > > group. Set the shutdown program to allow g+x. > > > I forgot a step ... make root a member of group shutdown, then > #chown root.shutdown /sbin/shutdown > > Make /sbin/shutdown read/write/exec owner only, read/exec for group shutdown. > > > Add a line into the default shell rc for that user to shut the system down. > > > > As soon as the the user logs in, the shell rc is read (before the prompt > > appears) and the shutdown will commence. Since the first thing a shutdown > > does is log users out ...... > > > > > After an hour of Googling on > > > something that relates to CAP_SYS_BOOT but it wasn't very helpful. > > > I am not sure how widely used this is. If you do a man on > > > "capabilities" you will find some info, but not really enough to get you > > > going. There are a couple instructions which form a sort of API, but > > > that is it. > > > > > > Anyone have this working and can give me advice on it > > > > > > For those of you who want to ask, why would you ever want to do this? > > > > > > The purpose of the built-in halt and shutdown accounts were originally > > > to give someone, you trust enough to be able to know when to shutdown > > > the system, but not enough to let him login, the ability to shut down a > > > server. A secondary function of these was a remote shutdown that didn't > > > require any thought on the users part! You gave him/her the password and > > > said, "If you need to shut the machine down for any reason, telnet into > > > the machine with "this" account and it will shut itself down. In this > > > manner, you didn't have to give the user physical access to the server. > > > > > > > > > > > > Nix > > > > > > -- > > > Nick Gray > > > Senior Systems Engineer > > > Bruzenak Inc > > > Office: 512-331-7998 > > > Cell: 512-630-7009 > > > > -- > > Tony Dietrich > > ------------- > > Xerox your lunch and file it under "sex offenders"! > > -- > Tony Dietrich > ------------- > There are three ways to get something done: > (1) Do it yourself. > (2) Hire someone to do it for you. > (3) Forbid your kids to do it. >
