HPE Community
Operating System - HP-UX
1844565 Members
4230 Online
110233 Solutions
New Discussion

/sbin/shutdown and /sbin/init

 
SOLVED
Go to solution
Crystal_1
Frequent Advisor

‎06-20-2002 05:18 AM

‎06-20-2002 05:18 AM

/sbin/shutdown and /sbin/init

Hi,

I just found that the permissions for the two files are -r-xr-xr-x.

Does it mean all people can shutdwon the system?

CRYSTAL
0 Kudos
Reply
10 REPLIES 10
T G Manikandan
Honored Contributor

‎06-20-2002 05:23 AM

‎06-20-2002 05:23 AM

Solution

Re: /sbin/shutdown and /sbin/init

hello,
If you make an entry in the /etc/shutdown.allow file then the user can shutdown the system.

Now if you shutdown as normal user it will give a message

"Must be root to shutdown"

only super user root can shutdown

Thanks
Reply
Tim D Fulford
Honored Contributor

‎06-20-2002 05:24 AM

‎06-20-2002 05:24 AM

Re: /sbin/shutdown and /sbin/init

No

shutdown is controlled by shutdown.allow

I'm fairly sure init makes kernel calls which the average user is not allowed to do.

Tim
-
0 Kudos
Reply
Pete Randall
Outstanding Contributor

‎06-20-2002 05:24 AM

‎06-20-2002 05:24 AM

Re: /sbin/shutdown and /sbin/init

Only if they are list in /etc/shutdown.allow

Pete

Pete
0 Kudos
Reply
Stefan Farrelly
Honored Contributor

‎06-20-2002 05:25 AM

‎06-20-2002 05:25 AM

Re: /sbin/shutdown and /sbin/init


No. Shutdown does extra checking to ensure only a superuser can run it. Try it as a non root user and you will see.

The permissions on /sbin/shutdown should actually be 04555. You can verify this by doing;

swlist -a mode -l file|grep "/sbin/shutdown"

And it returns 04555 (at least on my 11.0 box it does).

/sbin/init should indeed be permission 0555.



Im from Palmerston North, New Zealand, but somehow ended up in London...
Reply
PIYUSH D. PATEL
Honored Contributor

‎06-20-2002 05:27 AM

‎06-20-2002 05:27 AM

Re: /sbin/shutdown and /sbin/init

Hi,

See the owner and group of these files. Owner will be root and group will be sys. Hence all the users cannot execute.

If you make an entry in /etc/shutdown.allow then the users can shutdown the machine.

Piyush
0 Kudos
Reply
Crystal_1
Frequent Advisor

‎06-20-2002 05:28 AM

‎06-20-2002 05:28 AM

Re: /sbin/shutdown and /sbin/init

Hey guys,

This setting is by default. I have checked several boxes, they are the same settings.

CRYSTAL
0 Kudos
Reply
Crystal_1
Frequent Advisor

‎06-20-2002 05:35 AM

‎06-20-2002 05:35 AM

Re: /sbin/shutdown and /sbin/init

/sbin/shutdown has extra checking. How about init and reboot?

I did check /usr/sbin/swlist -a mode -l file | grep "/sbin/shutdown" and it is 04555.

Does a regular user can run reboot or init?

0 Kudos
Reply
PIYUSH D. PATEL
Honored Contributor

‎06-20-2002 05:52 AM

‎06-20-2002 05:52 AM

Re: /sbin/shutdown and /sbin/init

Hi,

A regular user cannot execute init or reboot.

It will give an error - "Must be a Super-User"

Give an ls -al /sbin/init and see the owner and group for this file.

The owner of these files is root and the group is sys. So only the user root or any other users in the group sys can execute these commands.

Piyush

Reply
PIYUSH D. PATEL
Honored Contributor

‎06-20-2002 06:00 AM

‎06-20-2002 06:00 AM

Re: /sbin/shutdown and /sbin/init

Hi Crystal,

Even reboot will tell you " Permission denied" when executed by any other user except root.

If all the users will have the previledge to use the shutdown/init/reboot commands then we system admins may have a "TOUGH TIME" !!!

Piyush
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

‎08-07-2002 02:30 AM

‎08-07-2002 02:30 AM

Re: /sbin/shutdown and /sbin/init

Hi,

If an abnormal channel of access to /sbin/shutdown is exploited, with the setuid bit set, the shutdown binary is exposed to potential buffer overflows even though none has been discovered yet (as far as I can recall i.e. I have not done a thorough search for buffer overflow vulnerabilities on the shutdown binary). Thus, the security principle of least privileges tells us that such risks should be mitigated where possible, which is dependent on whether the configuration without setuid bits set is supported by HP.

Hope this helps. Regards.

Steven Sim Kok Leong
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.