Hi folks. I want to enable a user to login, and after succesful login the system reboots. I tried out the following: - creating an user - in ~/.profile I put "sudo /sbin/reboot" - with visudo I defined "<username> ALL: NOPASSWD: /sbin/reboot" but this won't work. Am I missing something or am I totally on the wrong way ? thx. Stephan
Op donderdag 10 januari 2002 23:39, schreef u:
Hi folks.
I want to enable a user to login, and after succesful login the system reboots.
I shall not ask why you want that..... Is he a good friend of yours?
I tried out the following: - creating an user - in ~/.profile I put "sudo /sbin/reboot" - with visudo I defined "<username> ALL: NOPASSWD: /sbin/reboot" but this won't work.
Am I missing something or am I totally on the wrong way ?
I suggest you change the user's login shell to /sbin/reboot (in /etc/passwd). But I've never tried that.
thx. Stephan
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
regards, Huge
On Thu, 10 Jan 2002 23:53:02 +0100 Huge Rademaker <cert-security@rademaker-42.myweb.nl> wrote:
Op donderdag 10 januari 2002 23:39, schreef u:
Hi folks.
I want to enable a user to login, and after succesful login the system reboots.
I shall not ask why you want that..... Is he a good friend of yours?
I tried out the following: - creating an user - in ~/.profile I put "sudo /sbin/reboot" - with visudo I defined "<username> ALL: NOPASSWD: /sbin/reboot" but this won't work.
Am I missing something or am I totally on the wrong way ?
I suggest you change the user's login shell to /sbin/reboot (in /etc/passwd). But I've never tried that.
And, of course you will need to set his UID to 0 in /etc/passwd -- Viel Spaß Peter Nixon - nix@susesecurity.com SuSE Security FAQ Maintainer http://www.susesecurity.com/faq/ "If you think cryptography will solve the problem, then you don't understand cryptography and you don't understand your problem."
-----Ursprüngliche Nachricht----- Von: Peter Nixon [mailto:nix@susesecurity.com] Gesendet: Freitag, 11. Januar 2002 18:35 An: SuSE Security Betreff: Re: [suse-security] creating a normal user just for reboot
I suggest you change the user's login shell to /sbin/reboot (in /etc/passwd). But I've never tried that.
And, of course you will need to set his UID to 0 in /etc/passwd
Is this necessary ? I engaged him to run the reboot with the entry in the sudoers-file. Isn't that enough ? Is there no other way than giving him complete root-rights ? Stephan
Hi, (plz send it to the the liste if it works, thx) my resolution is to give the reboot programm as the shell... untested but I thing it must be work: # Adds a user "reboot" with UID 0 GID0 shell /sbin/reboot export HOMEDIR="/home/reboot" useradd -u 0 -o -g 0 -d $HOMEDIR -s /sbin/reboot -c "Reboot User" reboot install -d -g 0 -o 0 -m 500 $HOMEDIR passwd reboot export -n HOMEDIR so long... Kai EOT ----- Original Message ----- From: "Peter Nixon" <nix@susesecurity.com> To: "SuSE Security" <suse-security@suse.com> Sent: Friday, January 11, 2002 6:34 PM Subject: Re: [suse-security] creating a normal user just for reboot
On Thu, 10 Jan 2002 23:53:02 +0100 Huge Rademaker <cert-security@rademaker-42.myweb.nl> wrote:
Op donderdag 10 januari 2002 23:39, schreef u:
Hi folks.
I want to enable a user to login, and after succesful login the system reboots.
I shall not ask why you want that..... Is he a good friend of yours?
I tried out the following: - creating an user - in ~/.profile I put "sudo /sbin/reboot" - with visudo I defined "<username> ALL: NOPASSWD: /sbin/reboot" but this won't work.
Am I missing something or am I totally on the wrong way ?
I suggest you change the user's login shell to /sbin/reboot (in /etc/passwd). But I've never tried that.
And, of course you will need to set his UID to 0 in /etc/passwd
-- Viel Spaß
Peter Nixon - nix@susesecurity.com SuSE Security FAQ Maintainer http://www.susesecurity.com/faq/
"If you think cryptography will solve the problem, then you don't understand cryptography and you don't understand your problem."
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
* Kai-H. Weutzing wrote on Sat, Jan 12, 2002 at 07:56 +0100:
useradd -u 0 -o -g 0 -d $HOMEDIR -s /sbin/reboot -c "Reboot User" reboot
I guess this will fail with "UID 0 is not unique". BTW, I would prefere sudo a lot! I did a similar thing once upon a time ago, but it was a dirty hack :) I did this: (pseudo-shell code :)) useradd -m reboot chown -R reboot.root ~reboot chmod -R 700 ~reboot cp `which reboot` ~reboot/reboot #or hard-link? chmod o=x ~reboot/reboot chmod +s ~reboot/reboot echo "~reboot/reboot" > ~reboot/.profile echo "exit" >> ~reboot/.profile After that, only root and reboot can reach ~reboot. Only them can launch the setuid root binary reboot. Well, I had some wrapper around this ("are you sure...." ; w... ). It worked. I limited to local console only. Then I put a sign with the account information so that everybody is able to shutdown (since otherwise everybody would press power button). Finally I found it more easy to use CTRL-ALT-DEL :) [...63 lines cut...] oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
-----Ursprüngliche Nachricht----- Von: Steffen Dettmer [mailto:steffen@dett.de] Gesendet: Samstag, 12. Januar 2002 17:02 An: suse-security@suse.com Betreff: Re: [suse-security] creating a normal user just for reboot
* Kai-H. Weutzing wrote on Sat, Jan 12, 2002 at 07:56 +0100:
useradd -u 0 -o -g 0 -d $HOMEDIR -s /sbin/reboot -c "Reboot User" reboot
I guess this will fail with "UID 0 is not unique".
BTW, I would prefere sudo a lot!
Me too ! That's why I put this user in the sudoers, but it won't work (this was my original question *g*). How do I have to do this / what did I do wrong ? Stephan
Hi List, On Sat, Jan 12, 2002 at 05:55:30PM +0100, OKDesign oHG Security Administrator wrote:
Von: Steffen Dettmer [mailto:steffen@dett.de]
* Kai-H. Weutzing wrote on Sat, Jan 12, 2002 at 07:56 +0100:
useradd -u 0 -o -g 0 -d $HOMEDIR -s /sbin/reboot -c "Reboot User" reboot
I guess this will fail with "UID 0 is not unique".
BTW, I would prefere sudo a lot!
Me too ! That's why I put this user in the sudoers, but it won't work (this was my original question *g*). How do I have to do this / what did I do wrong ?
I did the same thing on my home system. I have a special user for stopping the system. It is in a group by its own and has a uid different from 0. I just created a simple bash script that executes /usr/bin/sudo /sbin/shutdown -n now and I put that user in /etc/sudoers as systhalt ALL=(ALL) NOPASSWD:/sbin/shutdown -h now I would guess shutdown -r now should work as well for reboot. I'm not sure how secure the shell script part is, but as this user doesn't have special rights except to shutdown the system with sudo, it is safe enough for me. HTH, Frederik
Hi,
useradd -u 0 -o -g 0 -d $HOMEDIR -s /sbin/reboot -c "Reboot User" reboot I guess this will fail with "UID 0 is not unique".
No, it dosen't fail, because of the "-o" Parameter. -> "man useradd"
BTW, I would prefere sudo a lot! I did a similar thing once upon a time ago, but it was a dirty hack :) I did this:
So, I thing the sudo solution is the more security risk then the my way, because this is the program callway: - login (PAM) - loginshell - sudo - reboot The programs in my solution are the following: - login (PAM) - reboot -> If you call more programs you have a higher security risk btw. i've tested my script and it works but with a bug: The system would be halted not rebooted, why? The programm "/sbin/reboot" is a link to "/sbin/halt" :-) So the following script works well: ----- BEGIN ----- #!/bin/sh HOMEDIR="/home/reboot" REBUN="reboot" SHELLSCRIPT="/usr/local/sbin/reboot.sh" TMPFILE=`mktemp /tmp/$0.XXXXXX` echo "/sbin/shutdown -r now" >> $TMPFILE install -g 0 -o 0 -b -v -m 700 $TMPFILE $SHELLSCRIPT rm $TMPFILE useradd -u 0 -o -g 0 -d $HOMEDIR -s $SHELLSCRIPT -c "Reboot User" $REBUN install -d -g 0 -o 0 -m 500 $HOMEDIR echo "$REBUN" >> /etc/ftpusers echo "$REBUN: root" >> /etc/aliases newaliases > /dev/null passwd $REBUN ----- END ----- have a nice day... Kai EOT
Hi,
useradd -u 0 -o -g 0 -d $HOMEDIR -s /sbin/reboot -c "Reboot User" reboot I guess this will fail with "UID 0 is not unique".
No, it dosen't fail, because of the "-o" Parameter. -> "man useradd"
BTW, I would prefere sudo a lot! I did a similar thing once upon a time ago, but it was a dirty hack :) I did this:
So, I thing the sudo solution is the more security risk then the my way, because this is the program callway: - login (PAM) - loginshell - sudo - reboot The programs in my solution are the following: - login (PAM) - reboot -> If you call more programs you have a higher security risk btw. i've tested my script and it works but with a bug: The system would be halted not rebooted, why? The programm "/sbin/reboot" is a link to "/sbin/halt" :-) So the following script works well: ----- BEGIN ----- #!/bin/sh HOMEDIR="/home/reboot" REBUN="reboot" SHELLSCRIPT="/usr/local/sbin/reboot.sh" TMPFILE=`mktemp /tmp/$0.XXXXXX` echo "/sbin/shutdown -r now" >> $TMPFILE install -g 0 -o 0 -b -v -m 700 $TMPFILE $SHELLSCRIPT rm $TMPFILE useradd -u 0 -o -g 0 -d $HOMEDIR -s $SHELLSCRIPT -c "Reboot User" $REBUN install -d -g 0 -o 0 -m 500 $HOMEDIR echo "$REBUN" >> /etc/ftpusers echo "$REBUN: root" >> /etc/aliases newaliases > /dev/null passwd $REBUN ----- END ----- have a nice day... Kai EOT
participants (6)
-
Frederik Ferner -
Huge Rademaker -
Kai-H. Weutzing -
OKDesign oHG Security Administrator -
Peter Nixon -
Steffen Dettmer