From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.6) Gecko/20050319 Description of problem: /etc/pam.d/reboot allow us to do reboot the system. auth sufficient pam_rootok.so is currently set. auth required pam_rootok.so is recommended for security reason. After change to "required" , system return " reboot: must be super user". I have seen this symptom on RHAS3,too. Is this a bug or change security specification? Version-Release number of selected component (if applicable): pam-0.77-65.1 How reproducible: Always Steps to Reproduce: 1. create non-root user. 2. login to the system with non-root user 3. do reboot Actual Results: System do reboot Expected Results: System return reboot: must be superuser Additional info:
Correction. "reboot" and "halt" commands are affected. If I do "shutdown" from non-root user, it is blocked. ( shutdown: must be superuser )
This is expected behaviour - to be able to reboot/halt the machine you don't have to be superuser, you must have obtained the console lock only. You can try if you are logged on using gdm/text login as a first user and then you log in as another user - the second user cannot reboot the machine. So this policy in /etc/pam.d/reboot(halt) is fine in case the machine is used as a normal workstation or a server either without normal users or without console access for normal users. Of course in case of multiuser machine with console access for normal users it's necessary for administrator of the machine to change this (as you done).