Bug 2606 - Default access to shutdown
Default access to shutdown
Status: CLOSED NOTABUG
Product: Red Hat Linux
Classification: Retired
Component: SysVinit (Show other bugs)
6.0
i386 Linux
high Severity high
: ---
: ---
Assigned To: David Lawrence
:
: 2714 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 1999-05-06 15:32 EDT by alynch
Modified: 2008-05-01 11:37 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 1999-05-06 16:47:05 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description alynch 1999-05-06 15:32:17 EDT
By default, any user (remote or local) can shutdown the
system using "shutdown -h now" . Seems to override PAM...
Comment 1 Jeff Johnson 1999-05-06 16:10:59 EDT
Not true. I just tried on i386 Red hat 6.0.
Comment 2 alynch 1999-05-06 16:14:59 EDT
I've done it on 2 separate RH 6.0 boxen. When I'm remote, and have my
display set to the local root window, I get a popup box when I type
"shutdown -r now" that prompts me for the password. I enter my
username, and the remote box reboots. And if I don't have my DISPLAY
enviornment var set, it just prompts me for the password. And then
promptly reboots.
Comment 3 Jeff Johnson 1999-05-06 16:30:59 EDT
OK, got it now. Off to Michael to explain the functionality of
PAM console ...
Comment 4 Michael K. Johnson 1999-05-06 16:47:59 EDT
This is expected behavior when you are "at the console".  "Console
users" are given all sorts of access, including ownership of
devices like floppies and sound cards, and are also given permission
to run various programs (normally after giving their password, but
that is configurable on a per-program basis).  man pam_console for
more information.  This can be turned off by removing files from
/etc/security/console.apps/ -- just don't remove the xserver file
or X will no longer start for anyone but root.

If this happens for a login that is not at the physical console,
then I most certainly want to know about it.  Keep in mind,
however, that if you are logged in BOTH remotely AND locally
that the remote login has the same privileges as the local login
until all your local login sessions terminate.
Comment 5 Jeff Johnson 1999-05-15 17:57:59 EDT
*** Bug 2714 has been marked as a duplicate of this bug. ***

The /usr/bin/shutdown has a BIG BUG
anyone can shutdown a the computer using his OWN password!!!
this can be disabled by removing all the filepermissions
for other users on the file /usr/local/consolehelper

but this is NOT a bugfix, it is only temporarily!!!

Note You need to log in before you can comment on or make changes to this bug.