Let me end this bombardment of email on shutdown by a non-root
user. PLEASE, PLEASE, DO NOT send any more email on this subject.
The list is to large to thank everyone. I think everyone and his
grandmothers sys-admin had some kind of response to this question.
I have drastically cut the responses. Alot were duplicates.
========================================================================
We call this script rbsun (reboot sun). The user executes a c-wrapper
that we call 'rbs', which executes this perl script (rbsun).
We also have one that does the same thing, but also checks to see
if the user is running from the console--to prevent someone else
remotely logging in and rebooting someone's workstation.
Here is the wrapper ----------------------------------------------------
#include<stdio.h>
#include<sys/types.h>
main()
{
setuid(0);
system("/rbsun");
}
Here is the Perl script --------------------------------------------------
#! /opt/bin/perl
#
# Reboot script for Sun workstations not in public labs.
# 9/21/94
#
$hostname = `uname -n`;
chop($hostname);
if ( $hostname eq "tracey2"){
print " Do you want to halt(h) or just reboot(r) your workstation? ";
$ans =<STDIN>;
chop($ans);
if ( $ans eq r ){
print " Syncing file systems and Rebooting...\n";
print " \n";
print "Please wait for login prompt to login\n";
`/usr/bin/sync`;
`/usr/bin/sync`;
`/usr/sbin/shutdown -y -i6`;}
else{
print " Halting the workstation...\n";
print " \n";
print " Type a \"b\" at the prompt > to reboot\n";
print " OR type \"boot\" at the prompt OK to reboot\n";
`/usr/bin/sync`;
`/usr/bin/sync`;
`/usr/sbin/shutdown -y -i0`;}}
else{
print "You are not allowed to reboot this workstation.\n";
print "Exiting...\n";
exit;}
Here are the permissions on these two files---------------------------
-rwsr-xr-x 1 root other 5444 Jul 20 1995 rbs
-rwxr-xr-x 1 root other 831 Jul 20 1995 rbsun
===========================================================================
What operating system. Under SunOS /usr/etc/shutdown is usually owned by
root.operator and is suid root and executable by the group operator. Put
the folks who you want to allow to do a shutdown in the operator group
and they can shutdown the machine.
If, however, you are talking about Solaris2 then I haven't quite figured
out a good answer. There must be one.
/dan
--Dan Schlitt School of Engineering Computer Systems dan@ee-mail.engr.ccny.cuny.edu City College of New York (212)650-6760 New York, NY 10031
===========================================================================
Easy peasy - just create a script as below
#!/bin/sh /usr/etc/halt
call it e.g. haltsys (just because that's the name I happen to use for the script I have here for this purpose for users) and install it in e.g. /usr/local/bin owned of course by root. Then just do
chmod 4755 /usr/local/bin/haltsys
and presto - anyone who can run haltsys can halt the machine. Of course, you could restrict access to haltsys on a group basis and it's not a good idea to have it on a network mounted drive, or perhaps a user logged in on your server could shut it down. Also you might like to prevent normal users from shutting down ANY machine to which they are not logged in on the console. I have attached my haltsys script. It works here, but its means of checking local logon is VERY primitive.
Hope this has been of some assistance,
Kindest regards,
Niall O Broin
European Space Operations Centre nobroin@esoc.esa.de Darmstadt, Germany Ph./Fax +49 6151 90 3619/2179
#! /bin/sh # # a script which runs setuid root in order to halt a system # it does its best to stop users from inadvertently shutting down # the server or from shutting down a machine other than the one # they are logged in on. # if [ `who am i|awk '{print $6}'` = "(:0.0)" ] ; then echo Halting now /usr/etc/halt else if [ `who am i|awk '{print $6}'` = "(`hostname`:0.0)" ] ; then echo Halting now /usr/sbin/halt else echo Please don\'t try to halt a remote machine fi fi
===========================================================================
file: autohalt ------------------- #!/bin/csh -b sync sync /usr/etc/halt
Set the protection on it so that it appears as -rwsr-xr-x 1 root daemon 38 Feb 3 1993 autohalt
It works well in SunOS 4.1.x (We havent done one for Solaris yet)
/------------------------------------------------------------------------------\ * Greg Harrison | "Well, that is one of the most * * System Administrator | well documented, non-working pieces * * Analog Devices | of code I have ever written" * * 7910 Triad Center Drive | -Anonymous * * Greensboro, NC 27409 | For reply, send a self-abused * * (910) 605-4359 | stomped antelope to * * email: greg.harrison@analog.com | greg.harrison@analog.com * \------------------------------------------------------------------------------/
===========================================================================
The easiest way I've found to allow users to use boot, fastboot, or shutdown is to put these commands in the passwd file.
Example:
reboot::0:1:System reboot login:/:/etc/reboot halt::0:1:System halt login:/:/etc/halt fastboot::0:1:System fastboot login:/:/etc/fastboot fasthalt::0:1:System fasthalt login:/:/etc/fasthalt
This should do it.
Regards,
/ / *\ Terry Snyder /0/ __O/ Unix Systems Admin - CAD/CAM |-|TTTTTTTTTTTTTTTT\\TTT|-| Beckman Instruments |-|IIIIIIIIIIIIIIIII\\TT|-| phone : (714) 961-6553 | / \ / \ | email : tss@breacad.beckman.com | \ \ \ \ | | | Two man vb, can you dig it? | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
===========================================================================
What we do is use a captive account which does nothing except shutdown the system. You can create a reasonably effective captive account by specifying a script as the "shell" for the account, ie, instead of specifying /bin/sh as shell in the passwd file specify a script, say /home/halt/shutdown. If a user manages to beak out of the shutdown script, they don't break out into a shell environment, they just get logged out.
---------------------------------------------------------------------------- Gary P. Carr gcarr@lanl.gov Staff Member, AOT-6 505-667-5785 Los Alamos National Laboratory (fax) 505-665-0046 ----------------------------------------------------------------------------
===========================================================================
Try looking at a package called sudo, which allows commands that you specify to be run as root.
ftp://ftp.cs.colorado.edu/users/millert/sudo/cu-sudo.v1.4.1-BETA.tar.Z
Dougal Scott Australian Artificial Intelligence Institute dwagon@aaii.oz.au 6/171 La Trobe St. Melbourne 3000 Programmer and Tech Support Australia Phone: +61 3 9663 7922 Fax: +61 3 9663 7937
===========================================================================
The slightly cheeky answer is: "yes, Sun does - it's called "shutdown" and it's one of those things which people in the "operators" group can do, without root privilege".
Seriously, I would have to ask you why you want users doing this... In particular, unless you take out all your console "secure" flags, then, if they can reboot single-user, they're going to get root that way. We do take out all "secure" flags and also "hide" Stop-A, so they can't get to the eprom (and we have eprom password [security-mode=command]).
If you're going to let the generality of users loose to shutdown, reboot, etc., you might as well give them root. But our concession is to give just a select few entries in the operators group and, that way, these folk can shutdown and re-boot workstations which, for instance, need to be moved or serviced.
-Brian Styles
===========================================================================
What's your OS ?
In SunOS a chmod on /usr/etc/shutdown works ok.
-rwsr-x--- 1 root operator /usr/etc/shutdown
Peter Allan peter.allan@aeat.co.uk
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:10:54 CDT