Bug 10483

Summary: Any user may cause a remote shutdown of the system.
Product: [Retired] Red Hat Linux Reporter: Juan Hierro <hierro>
Component: initscriptsAssignee: Bill Nottingham <notting>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: medium    
Version: 6.0CC: rvokal
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2000-03-31 16:57:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Juan Hierro 2000-03-31 16:55:50 UTC 
I am not sure whether this is a bug or a system characteristic but in
all versions from 5.1 up to 6.1 (the only ones I have used) and in
alpha and i386 platforms there are two different routes to the shutdown
command. The first is /sbin/shutdown and causes no problem (only root
or CTRL+ALT+DEL may run it); however the other command: /usr/bin/shutdown
may be called by all users (even remotely) with the only condition of
being asked for their password before executing.

 One can easily imagine the headaches it has caused for the last days
in our department which has an NFS server for more than fourty users,
two of them newbies used to turn off Windows when loging out and who
had in their PATH /usr/bin but no /sbin.

 Once you know, it looks easy to solve.
Comment 1 Bill Nottingham 2000-03-31 16:57:59 UTC 
This is a feature of pam_console ; see 'man pam_console'
for more info.