Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 152125 - Any non-root user can do "reboot" or "shutdown"
Any non-root user can do "reboot" or "shutdown"
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: pam (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Jay Turner
Depends On:
  Show dependency treegraph
Reported: 2005-03-24 21:54 EST by masanari iida
Modified: 2015-01-07 19:09 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-03-25 03:36:26 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description masanari iida 2005-03-24 21:54:47 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.6) Gecko/20050319

Description of problem:
/etc/pam.d/reboot  allow us to do reboot the system.

auth sufficient pam_rootok.so    is currently set.
auth required pam_rootok.so      is recommended for security reason.

After change to "required" , system return " reboot: must be super user".
I have seen this symptom on RHAS3,too.
Is this a bug or change security specification?

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. create non-root user.
2. login to the system with non-root user
3. do reboot 

Actual Results:  System do reboot

Expected Results:  System return
reboot: must be superuser

Additional info:
Comment 1 masanari iida 2005-03-24 21:58:27 EST
"reboot" and "halt" commands are affected.
If I do "shutdown" from non-root user, it is blocked. 
( shutdown: must be superuser )
Comment 2 Tomas Mraz 2005-03-25 03:36:26 EST
This is expected behaviour - to be able to reboot/halt the machine you don't
have to be superuser, you must have obtained the console lock only. You can try
if you are logged on using gdm/text login as a first user and then you log in as
another user - the second user cannot reboot the machine. So this policy in
/etc/pam.d/reboot(halt) is fine in case the machine is used as a normal
workstation or a server either without normal users or without console access
for normal users.
Of course in case of multiuser machine with console access for normal users it's
necessary for administrator of the machine to change this (as you done).

Note You need to log in before you can comment on or make changes to this bug.