Wrapper Script For Shutdown, Passwd, Etc. Commands

Home » CentOS » Wrapper Script For Shutdown, Passwd, Etc. Commands
CentOS 3 Comments

Hello all. Thank you for reading.

I’m hoping someone can point me in the right direction here. I am looking to implement a wrapper script/utility that will prompt for a ticket number before running certain commands. I’ve used similar scripts in the past on systems that I didn’t have admin access.

The wrapper would do something like this:

[root@vm-helios-019] shutdown -h now

*** WARNING ***
You are attempting to shutdown a production server:
vm-helios-019.digitalhermit.com
Please enter the Change Log Ticket for shutdown CHG-FL-102122

Please confirm by entering your login password: xxxxxxxxxxxxxxxxxx

Ticket number CHG-GL-102122 for user Kwan Lowe (klowe) has been logged at
Sun Feb 4, 2001 at 14:23 (2:23PM).

Ideally this would only kick in if the request is coming from an interactive session.

Thinking about it, just replacing the command with a wrapper could cause other problems.

Has anyone done anything similar?

Thanks, Kwan

3 thoughts on - Wrapper Script For Shutdown, Passwd, Etc. Commands

  • Are you saying that this is an interactive process on the system? I’d suggest you make sure this isn’t some sort of email ticket that stores a password or emails it.

    You could probably use ‘sudo’ to handle the part of authenticating the user, and run a very limited service that queried a secure system for approval and initiated the shutdown.

  • Thanks for the reply. I’m thinking that the password would only be there to confirm. It would not be stored but would possibly leverage PAM.

    sudo was a possibility.. However, I want to this specifically for folks with root access so sudo’s checks won’t work.

    This is for two reasons: Audit requirements and as a second check for the admin. We’ve had a couple instances recently where the admin did work on the wrong server. Though i don’t see any way to totally lock it down for someone with root access, I want to make it at least give some sort of warning.

    The other tool I looked at was selinux. Combined with audit it could possibly work but not all the systems have selninux enabled.

  • Am 13.07.2015 um 16:47 schrieb Kwan Lowe :

    If your need is to be sure that the admin work on the right system, then I suggest to put something explicitly into /etc/motd (man motd).

    If your work policy allows “folks” to work directly as root, then everything can be circumvented, saying that to suggest something totally trivial: aliases

    cat /etc/profile.d/local.sh alias shutdown=’/usr/local/sbin/wrapper-shutdown’

    thought

LEAVE A COMMENT