Wrapper Script For Shutdown, Passwd, Etc. Commands
Hello all. Thank you for reading.
I’m hoping someone can point me in the right direction here. I am looking to implement a wrapper script/utility that will prompt for a ticket number before running certain commands. I’ve used similar scripts in the past on systems that I didn’t have admin access.
The wrapper would do something like this:
[root@vm-helios-019] shutdown -h now
*** WARNING ***
You are attempting to shutdown a production server:
vm-helios-019.digitalhermit.com
Please enter the Change Log Ticket for shutdown CHG-FL-102122
Please confirm by entering your login password: xxxxxxxxxxxxxxxxxx
Ticket number CHG-GL-102122 for user Kwan Lowe (klowe) has been logged at
Sun Feb 4, 2001 at 14:23 (2:23PM).
Ideally this would only kick in if the request is coming from an interactive session.
Thinking about it, just replacing the command with a wrapper could cause other problems.
Has anyone done anything similar?
Thanks, Kwan
3 thoughts on - Wrapper Script For Shutdown, Passwd, Etc. Commands
Are you saying that this is an interactive process on the system? I’d suggest you make sure this isn’t some sort of email ticket that stores a password or emails it.
You could probably use ‘sudo’ to handle the part of authenticating the user, and run a very limited service that queried a secure system for approval and initiated the shutdown.
Thanks for the reply. I’m thinking that the password would only be there to confirm. It would not be stored but would possibly leverage PAM.
sudo was a possibility.. However, I want to this specifically for folks with root access so sudo’s checks won’t work.
This is for two reasons: Audit requirements and as a second check for the admin. We’ve had a couple instances recently where the admin did work on the wrong server. Though i don’t see any way to totally lock it down for someone with root access, I want to make it at least give some sort of warning.
The other tool I looked at was selinux. Combined with audit it could possibly work but not all the systems have selninux enabled.
Am 13.07.2015 um 16:47 schrieb Kwan Lowe:
If your need is to be sure that the admin work on the right system, then I suggest to put something explicitly into /etc/motd (man motd).
If your work policy allows “folks” to work directly as root, then everything can be circumvented, saying that to suggest something totally trivial: aliases
cat /etc/profile.d/local.sh alias shutdown=’/usr/local/sbin/wrapper-shutdown’
thought