By default, any user (remote or local) can shutdown the system using "shutdown -h now" . Seems to override PAM...
Not true. I just tried on i386 Red hat 6.0.
I've done it on 2 separate RH 6.0 boxen. When I'm remote, and have my display set to the local root window, I get a popup box when I type "shutdown -r now" that prompts me for the password. I enter my username, and the remote box reboots. And if I don't have my DISPLAY enviornment var set, it just prompts me for the password. And then promptly reboots.
OK, got it now. Off to Michael to explain the functionality of PAM console ...
This is expected behavior when you are "at the console". "Console users" are given all sorts of access, including ownership of devices like floppies and sound cards, and are also given permission to run various programs (normally after giving their password, but that is configurable on a per-program basis). man pam_console for more information. This can be turned off by removing files from /etc/security/console.apps/ -- just don't remove the xserver file or X will no longer start for anyone but root. If this happens for a login that is not at the physical console, then I most certainly want to know about it. Keep in mind, however, that if you are logged in BOTH remotely AND locally that the remote login has the same privileges as the local login until all your local login sessions terminate.
*** Bug 2714 has been marked as a duplicate of this bug. *** The /usr/bin/shutdown has a BIG BUG anyone can shutdown a the computer using his OWN password!!! this can be disabled by removing all the filepermissions for other users on the file /usr/local/consolehelper but this is NOT a bugfix, it is only temporarily!!!