HPE Community
Operating System - HP-UX
1819836 Members
2721 Online
109607 Solutions
New Discussion юеВ

Re: How to lock shutdown and reboot commands??

 
Uttamkumar Dravidam
New Member

тАО10-25-2003 06:53 AM

тАО10-25-2003 06:53 AM

How to lock shutdown and reboot commands??

we have a very complex production environment. If sys admin accidentally shutdowns a production system, it's a big loss to the company . How do we lock shutdown and reboot command if a root executes in certain. I mean we can't shutdown the host between morning 6am to midnight. my plan to setup a daemon, if any one issues shutdown or reboot command, it should error out saying, Its not correct time to reboot, And if they have to reboot it, they have kill the daemon, and reboot.
Please let me know, if it's possible.
Thanks,
0 Kudos
Reply
10 REPLIES 10
Patrick Wallek
Honored Contributor

тАО10-25-2003 07:36 AM

тАО10-25-2003 07:36 AM

Re: How to lock shutdown and reboot commands??

The easiest thing I can think of is to rename the shutdown and reboot commands to shutdown.orig and reboot.orig. Then write a wrapper script called shutdown (and copy it to reboot) that, when invoked, looks at the time and if it is between 6AM and midnight then the echo a message "Can't shutdown now" and then does an 'exit 1'.

I would also stress educating the sys admins that shutdown/reboot is unacceptable during certain times. Also make everyone work from their own account. Only work from the root account when it is absolutely necessary. Setting up and usingi sudo can also help here.
0 Kudos
Reply
Christian Valet_2
Advisor

тАО10-27-2003 12:34 AM

тАО10-27-2003 12:34 AM

Re: How to lock shutdown and reboot commands??

The way we have fixed a similar problem here is by creating a user "shutdown" with the
shutdown program triggered inside the .profile. Also the /etc/shutdown.allow file was modified to allow only "shutdown" user to turn off the system.

You could also create your own script that
sudo (or su) to shutdown the system.

Regards,

Christian
"On two occasions, I have been asked [by members of Parliament], 'Pray, Mr. Babbage, if you put into the machine wrong figures,will the right answers come out?' -- Charles Babbage
0 Kudos
Reply
Uttamkumar Dravidam
New Member

тАО10-27-2003 12:50 AM

тАО10-27-2003 12:50 AM

Re: How to lock shutdown and reboot commands??

Hello folks,
How did you add in .profile, that makes easy solution. Can you please give that format.

Thanks,
0 Kudos
Reply
doug mielke
Respected Contributor

тАО10-27-2003 01:40 AM

тАО10-27-2003 01:40 AM

Re: How to lock shutdown and reboot commands??

we did the shutdown user for some of our customer sites, and didn't tell them of the account. We could then have them shutdown over the phone.


We made another user with user id of zero.

and just entered.

shutdown -y -r

as the last line of their user profile.
0 Kudos
Reply
doug mielke
Respected Contributor

тАО10-27-2003 01:41 AM

тАО10-27-2003 01:41 AM

Re: How to lock shutdown and reboot commands??

...and their home dir can't be a mounted filesystem, or add cd / to the profile before the shutdown command.
0 Kudos
Reply
R. Allan Hicks
Trusted Contributor

тАО10-27-2003 02:49 AM

тАО10-27-2003 02:49 AM

Re: How to lock shutdown and reboot commands??

We had a similar problem here. Our solution was not as elegant as the shutdown user.

We wrapped the shutdown command in a script and prompted for a password. The issue wasn't security as much as making sure that we weren't logged into the wrong machine. The password was the hostname in all cases.

A hacker wouldn't have trouble getting around it, but if it's 2:00 AM, you're 1/2 asleep and you think you are logged into machine A but you're really logged into machine B when you enter A for the password, you are politely turned away before you kill the wrong machine.
"Only he who attempts the absurd is capable of achieving the impossible
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

тАО10-27-2003 10:53 AM

тАО10-27-2003 10:53 AM

Re: How to lock shutdown and reboot commands??

The fundamental problem with all of these hacks is that a patch could easily undo all your work by replacing your custom or wrappered commands with a newer version --- and you might not even know it.

The real solution to this problem is admin training and discipline. I don't care if it is 2AM there still needs to be checks to see if it is safe to shutdown.
If it ain't broke, I can fix that.
0 Kudos
Reply
Jeff Schussele
Honored Contributor

тАО10-27-2003 10:59 AM

тАО10-27-2003 10:59 AM

Re: How to lock shutdown and reboot commands??

Amen!
You can't fix stupid with a wrapper nor a patch.
If I've ever seen a need for training this is it.
If the problem is with mgmnt's hiring practices, well that *needs* to be addressed as well.

My 2 cents,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО10-27-2003 01:12 PM

тАО10-27-2003 01:12 PM

Re: How to lock shutdown and reboot commands??

The simple answer: TOO MANY ROOT USERS! No one should have the root password except aq designated senior sysadmin. Instead, install the sudo program and give privileges to specific users. If someone is testin g a daemon, they are not allowed to use the shutdown or reboot commands (see the files: shutdown.allow and shutdown.deny). I would go one step further and deny testing of any sort on a production machine. One mistake and your company loses a lot more money than the cost of a test box. Have the testing done on the test box then port the new code to production after a change-control review process.


Bill Hassell, sysadmin
0 Kudos
Reply
TommyT
Valued Contributor

тАО10-27-2003 11:23 PM

тАО10-27-2003 11:23 PM

Re: How to lock shutdown and reboot commands??

Hi!

You can do something like this.
See the attached file and modify it.

//Tommy
tompa
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.