How to restrict reboot/poweroff from non-admins?

Home » CentOS » How to restrict reboot/poweroff from non-admins?
CentOS 7 Comments

I just noticed that CentOS (6.2) by default allows any user to reboot/poweroff system without any admin rights, or without any further questions, if using commands ‘reboot’ or ‘poweroff’. But ‘shutdown’ still requires admin rights.

What is the preferred way to restrict any regular user from rebooting /powering off the system (by accident)?

IMHO, sudo should be required for this purpose (at least in a system with shared remote access from multiple users, single-user laptops etc may be a different case)

 

7 thoughts on - How to restrict reboot/poweroff from non-admins?

  • Timo Neuvonen wrote on 03/28/2012 09:17 AM:

    OUCH! This seems to qualify as a CentOS bug. I confirm that a normal
    user can reboot or poweroff the system on 6.2. On RHEL:

    $ rpm -qa redhat-release*
    redhat-release-server-6Server-6.2.0.3.el6.x86_64
    $ poweroff
    poweroff: Need to be root
    $ reboot
    reboot: Need to be root

    Phil

  • I was just reading this the other day in a book but cannot find
    it…there is some command that limits this…not sure if it was just
    sudo or not…
    yea, that is scary

  • Only console users (local users) are allowed to do that. It’s configured
    using pam (I use Centos5.8 so forgive me if this is not the same for
    CentOS6). I tried to change settings in /etc/pam.d/ and that indeed works:

    /etc/pam.d/poweroff
    /etc/pam.d/reboot
    /etc/pam.d/halt

    I added as a second line :
    auth sufficient pam_rootok.so
    # prevent normal users to reboot
    auth required pam_deny.so
    ….

    But still the user locally logged on to the machine (gnome session) can
    switch it off. So I think I also missed something.

    Theo

  • Johnny Hughes wrote on 03/28/2012 10:26 AM:

    Got me there. The access mode does seem to be the difference. I tested
    from the GUI on CentOS and via ssh on RHEL. Logged on to the console in
    a GUI on RHEL6 a user can reboot or poweroff, and presumably also halt.
    Seems to be the “console user” thing. So CentOS does match upstream.

    Phil

  • I just did some research on this … the files that need to be modified
    to change this behavior are:

    /etc/pam.d/poweroff
    /etc/pam.d/halt
    /etc/pam.d/reboot

    The files in CentOS are identical to upstream … they are also
    identical to each other and look like this:

    auth sufficient pam_rootok.so
    auth required pam_console.so
    #auth include system-auth
    account required pam_permit.so

    I am sure those can be adjusted so console access by itself is not
    sufficient.

  • Both methods should work. With requisite the following checks are not
    done anymore (it fails right away). But even if the other tests succeed
    (after a failing required) the final judgement is still “fail”. It a way
    not to tell the reason authentication fails. This makes it a little bit
    more difficult for an attacker.

    Note that shutdown is not in the list of pam enabled applications. So a
    user cannot poweroff, but he can still shutdown :-(
    I read that /etc/shutdown.allow controls shutdown but I don’t understand
    what the gnome desktop actually calls. Apparently it is not
    poweroff/reboot/halt.

    Anyone knows how to properly prevent any non root user (console and
    remote) for powering off a machine?

    I need this only for desktop users that switch of their machine by
    accident. The machine is used as part of a compute grid as well.

    Theo

LEAVE A COMMENT