Loading Blog Search...

Sunday, December 12, 2004

Tips about shutdowning debian

It's easy to active shutdown option is kde logout menu, just use kdm as login manager and allow shutdown by normal users. Of cz, firstly, normal users must be capable to shutdown. unfortunately, it isn't default setting for debian.
I understand it's stupid for a server administrator to allow normal users to shutdown. But for desktop users, only be allowed to return to gdm or sudo everytime to shutdown is a stupid idea. To allow a normal user to shutdown, follow the following instruction:
Q: How do you give permission to shutdown(8) the machine to regular users?
Without patching the shutdown code to either link it to libpam or check your UID/GID, there are 2 simple ways.
Option 1: SUID ROOT
On debian, a distro which hates setuid root anything, /sbin/shutdown's default permissions are -rwxr-xr-x. If we make it setuid root
$ chmod u+s /sbin/shutdown (giving -rwsr-xr-x)
anyone and everyone can run /sbin/shutdown, and it will run as root. So everyone can shutdown the machine (ouch).
If we only want users from a special group to be able to execute it, we can just make it only executable by the owner and group
$ chmod g-wrx /sbin/shutdown (giving -rwsr-x---)
and then change the group owner to our special group. Debian has an adm group, which seems appropriate. (but we could just create a new shutdown, or wheel group of course).
$ chown root.adm /sbin/shutdown
-rwsr-x--- 1 root adm 16632 2002-05-28 12:27 /sbin/shutdown
So anyone we want to let shutdown the machine, we can just add to the adm group.
$ adduser fred adm
Options 2: sudo
If you use sudo, then
fred ALL=(root) /sbin/shutdown
in your sudoers file would let the user fred run shutdown as root. Without setuid root'ing anything! You can change "fred" for "%adm" or "%shutdown" to indicate a member of that %group.
sudo logs everything and doesn't need you to change any file permissions.
I guess the distro's that do allow anyone to shutdown the machine use setuid root binaries. Not as elegant as sudo, but they both work.
Gav
(ps, based on a conversation with Al)

3 comments:

Kunal Gangar said...

hi u hv a cool blog. I liked ur sites layout & ur sidemenu is also nice. If u can gimme d code of ur sidebar toggling. It wud b very grateful.

My blog: http://techticker.blogspot.com
email: kunalmg'at'gmail.com

Li-Zhao 李钊 said...

thanks, u have a very good blog too. :-)

To add a sidemenu as mine, just insert the three lines in ur HTML source and config ssmitems. very easy.




so, u can download the menu source from:
http://www.geocities.com/sg_lizhao/ssmitems.css
http://www.geocities.com/sg_lizhao/ssm.js
http://www.geocities.com/sg_lizhao/ssmitems.js

Li-Zhao 李钊 said...

sorry, i missed the three lines to be inserted. :-o

they are:

<link rel="stylesheet" href="http://www.geocities.com/sg_lizhao/ssmitems.css" type="text/css" />
<script src="http://www.geocities.com/sg_lizhao/ssm.js" type="text/javascript"></script>g
<script src="http://www.geocities.com/sg_lizhao/ssmitems.js" type="text/javascript"></script>