Bug 2606 - Default access to shutdown
Summary: Default access to shutdown
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: SysVinit
Version: 6.0
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: David Lawrence
QA Contact:
: 2714 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 1999-05-06 19:32 UTC by alynch
Modified: 2008-05-01 15:37 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 1999-05-06 20:47:05 UTC

Attachments (Terms of Use)

Description alynch 1999-05-06 19:32:17 UTC
By default, any user (remote or local) can shutdown the
system using "shutdown -h now" . Seems to override PAM...

Comment 1 Jeff Johnson 1999-05-06 20:10:59 UTC
Not true. I just tried on i386 Red hat 6.0.

Comment 2 alynch 1999-05-06 20:14:59 UTC
I've done it on 2 separate RH 6.0 boxen. When I'm remote, and have my
display set to the local root window, I get a popup box when I type
"shutdown -r now" that prompts me for the password. I enter my
username, and the remote box reboots. And if I don't have my DISPLAY
enviornment var set, it just prompts me for the password. And then
promptly reboots.

Comment 3 Jeff Johnson 1999-05-06 20:30:59 UTC
OK, got it now. Off to Michael to explain the functionality of
PAM console ...

Comment 4 Michael K. Johnson 1999-05-06 20:47:59 UTC
This is expected behavior when you are "at the console".  "Console
users" are given all sorts of access, including ownership of
devices like floppies and sound cards, and are also given permission
to run various programs (normally after giving their password, but
that is configurable on a per-program basis).  man pam_console for
more information.  This can be turned off by removing files from
/etc/security/console.apps/ -- just don't remove the xserver file
or X will no longer start for anyone but root.

If this happens for a login that is not at the physical console,
then I most certainly want to know about it.  Keep in mind,
however, that if you are logged in BOTH remotely AND locally
that the remote login has the same privileges as the local login
until all your local login sessions terminate.

Comment 5 Jeff Johnson 1999-05-15 21:57:59 UTC
*** Bug 2714 has been marked as a duplicate of this bug. ***

The /usr/bin/shutdown has a BIG BUG
anyone can shutdown a the computer using his OWN password!!!
this can be disabled by removing all the filepermissions
for other users on the file /usr/local/consolehelper

but this is NOT a bugfix, it is only temporarily!!!

Note You need to log in before you can comment on or make changes to this bug.