Operating System - HP-UX
1834018 Members
2064 Online
110063 Solutions
New Discussion

Is it possible to give a user shutdown/reboot perms via sudo?

 
SOLVED
Go to solution
Stacey Akerstrom
Frequent Advisor

Is it possible to give a user shutdown/reboot perms via sudo?

I have a user 'telcom' that should be allowed to shutdown and reboot, using sudo1.6.6.
Although I'm specifying no passwd in the sudo file, I'm still being prompted for a password.
Here's the telcom specific entry:
TELCOM ALL = NOPASSWD: KILL,LPSTAT,CLEAR,FIND,LS,IPCS,IPCRM,CANCEL,PASSWD,LPADMIN

I can only guess that I've added this incorrectly, or I've left out something else.

Thanks-
Stace
8 REPLIES 8
Patrick Wallek
Honored Contributor

Re: Is it possible to give a user shutdown/reboot perms via sudo?

Sudo should work, but it can be done without sudo as well. Add the user to the /etc/shutdown.allow file and that user can then shutdown the system.
Stacey Akerstrom
Frequent Advisor

Re: Is it possible to give a user shutdown/reboot perms via sudo?

Patrick, we really prefer to implement sudo rather than just adding to shutdown.allow, primarily because there are other limited commands we want certain users to be able to run.
However, I'm being prompted for a password, which is what I'm trying to get around.
Any ideas?
Thanks!
Jeff Schussele
Honored Contributor

Re: Is it possible to give a user shutdown/reboot perms via sudo?

Hi Stacey,

That's thin ice you're walking on.
If a normal user dicovered that they can sudo/shutdown w/o a PW......well I wouldn't want to think about that.
The user should be added to shutdown.allow at most as Patrick points out & then you'd at least have a sudo log to *try* to determine who shutdown the system as long as you don't allow direct logins as telcom.
BUT if you have multiple people allowed to su to telcom, then you might never be able to definitively determine just who ran the shutdown - just candidates. If direct logins are allowed - all you'll have is IPs at best.

I'm a firm believer that VERY destructive utils should be root-only - not even sudo should be allowed & I can't think of a more destructive util than shutdown - except for maybe
rm -rf /

My $0.02,
Jeff

PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
James A. Donovan
Honored Contributor

Re: Is it possible to give a user shutdown/reboot perms via sudo?

Do any of the command aliases you've listed here actually contain a reference to /usr/sbin/shutdown? Just judging by their names, I wouldn't think so.

Otherwise, as long the user you are logged in as is a member of the TELCOM User_Alias, what you've written here looks correct.
Remember, wherever you go, there you are...
Stacey Akerstrom
Frequent Advisor

Re: Is it possible to give a user shutdown/reboot perms via sudo?

Jeff-
My bad, I didn't explain myself very well.
This user telcom is the *only* user (other than root, of course) that I want to allow to shutdown/reboot. They wouldn't be su'ing, I only did it that way because I was too lazy to go ask someone what the telcom passwd was.
The reason I don't want to add telcom to shutdown.allow, is that I wouldn't be able to trace who did the shutdown/reboot, whereas if they do it via sudo, it will get logged.
Jeff Schussele
Honored Contributor

Re: Is it possible to give a user shutdown/reboot perms via sudo?

Hi Stacey,

I understand, but even with an su there would still be a log - see /etc/shutdownlog.
This will record the *true* user that ran it.
IF you use su to gain root - and you should - take a look in there & you'll see what I mean.

HTH,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
Stacey Akerstrom
Frequent Advisor

Re: Is it possible to give a user shutdown/reboot perms via sudo?

The powers-that-be will not go for allowing telcom to su to root, hence the need for sudo.
Jeff Schussele
Honored Contributor
Solution

Re: Is it possible to give a user shutdown/reboot perms via sudo?

No - the user(s) su to telcom - telcom is in shutdown.allow & then they issue the shutdown command.
I think the thought that you want to do this w/o a PW is the very dangerous part of this process. One should always HAVE to issue a PW to get to this "power" level.

Rgds,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!