[ Date Index ][
Thread Index ]
[ <= Previous by date /
thread ]
[ Next by date /
thread => ]
On Mon, 2002-12-16 at 21:42, David Johnson wrote:
psutton wrote:Hi I was chatting to a guy on yahoo the other day, he wants to set up rhl 7.3 so a user cannot change the root password, or shutdown the computer, I was under the impression that normal users can't change the root password anyway, but the second point they can as in the old linuxconf program somewhere there is a setting to say what users can do.rebooting/shutting down, that should be a case of just checking the permissions of "reboot" and "shutdown" so that only root can execute - I suspect they're in /sbin/.
Things are a little more complicated than this. On this (rh7.3) system
permissions for shutdown are listed as:
-rwxr-xr-x 1 root root 14380 Aug 29 2001 /sbin/shutdown
(i.e. all can execute) but I still can't run it as an ordinary user,
however I can still reboot and poweroff the machines using
/usr/bin/reboot and /usr/bin/poweroff (and use the gnome logout menu to
do this for me). These are actually just symlinks to consolehelper which
is a wrapper for userhelper that enables not-root users to call system
program via PAM.
The relevant files are all in /etc/pam.d one per program (alternatively
/etc/pam.conf the prescence of pam.d causes this to be overridden). As
standard rh7.3 allows any user to poweroff or reboot without any further
authentification as long as they are loged in and thier account is valid
(but doesn't allow them to run X-CD-Roast without giving the root
password - go figure!)
The relevant file (/etc/pam.d/poweroff[reboot]) looks like this
#%PAM-1.0
auth sufficient /lib/security/pam_rootok.so
auth required /lib/security/pam_console.so
#auth required /lib/security/pam_stack.so service=system-auth
account required /lib/security/pam_permit.so
uncommenting the third line will prompt the user to give the root
password before it carries out the operation.
adding the line
auth required /lib/security/pam_wheel.so use_uid
will ensure that only members of the wheel group can do this. You will
have to create the wheel group and add the relevant users to it.
PAM also provides some additional measures to aid in the first question
as you can use it to ensure that only members of the wheel group can use
su.(see the line above (taken from /etc/pam.d/su) to see how to do this)
The file /etc/securetty lists the names of the ttys where root is
allowed to log in. If you remove/rename it root is effectively prevented
from logging in forcing people to use su.
Using these measures you can control who can change the root password
or do any other root only measures by restricting who can become root
and how i.e. only members of the wheel group by su'ing.
Linuxconf should be ditched - it doesn't work properly and never has.
Webmin is fine and Gnome provides various GUI tools that do some of the
jobs as I'm sure KDE does.
see also the following from the shutdown manpage on overriding
CTRL-ALT-DELETE
hth
Paul M.
ACCESS CONTROL
shutdown can be called from init(8) when the magic keys
CTRL-ALT-DEL are pressed, by creating an appropriate entry in
/etc/inittab. This means thateveryone who has physical access to the
console keyboard can shut the system down. To prevent this, shutdown
can check to see if an authorized user is logged in on one of the
virtual consoles. If shutdown is called with the -a argument(add
this to the invocation of shutdown in /etc/inittab), it checks to see
if the file /etc/shutdown.allow is present. It then compares the
login names in that file with the list of people that are logged in
on a virtual console (from /var/run/utmp). Only if one of those
authorized users or root is logged in, it will proceed. Otherwise it
will write the message
shutdown: no authorized users logged in
NB if you this with the measures outlined above make sure you put wheel
members at least in /etc/shutdown.allow or CTRL-ALT-DEL will never work
--
Paul M <paul@xxxxxxxxxx>
--
The Mailing List for the Devon & Cornwall LUG
Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the
message body to unsubscribe.