Red Hat Bugzilla – Bug 55987
Normal users can issue the reboot command to reboot the system
Last modified: 2007-04-18 12:38:12 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Description of problem:
I just installed the downloadable version of RH 7.2 and added a user with
the username of drc (adduser drc) and then I gave that user a password
(passwd drc). After loggin in to the new normal user account I was able
to use the reboot command to reboot the system. I think this is a serious
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Login as normal user "drc"
2. Issue "reboot"
3. System reboots
Actual Results: The server reboots when normal users use the reboot
Expected Results: Only root has access to reboot the system.
It's not a bug, it's a feature. A user at the console could also pull the plug.
Hint: See output of "which reboot".
This is a very critical bug! I just tested logging into a RH7.2 (+latest errata)
box as a normal user and the machine rebooted after I issued the 'reboot'
command. 'w' showed my TTY was pts/4 before I 'reboot'ed.
Yes... this IS A SERIOUS BUG !!!... I lost 2 days of work (chip simulation)
because another regular user re-booted the system !!!!!
$ ll `which reboot` | cut -b57-
/usr/bin/reboot -> consolehelper
As I wrote before, this is not a bug. This is even documented in the "The
Official Red Hat Linux Customization Guide" which is shipped on the docs CD or
This same problem also exists for the "halt", "v4l-conf" and "poweroff". If a
user stays logged into the console, they can (days later) ssh into the machine
from remote as that same user and execute any of these commands. If you
uncomment the line:
auth required /lib/security/pam_stack.so service=system-auth
It "fixes" the problem.
I don't really care to argue that this is or is not a bug. It is like so many
things in RedHat's distro..."on by default". You guys did so well with that
problem in 7.2, but you need to fix the loose ends like this. I'm not
suggesting you remove the consolehelper system, I am just suggesting you reverse
this behavior by default.
As an example of why this is silly, we are now forced to "fix" this on all 7.2
machines at our organization...something on the order of 200 machines. Nobody
wants to lose work because of an interface change like this.
A user logged in at the console can always reboot the system by pressing
Ctrl+Alt+Del, or hitting the power switch. Allowing the user to reboot the
system in an orderly way is preferable. Allowing a user to use removable media
devices or video display devices) is also preferable when the user has physical
access to the diskette drive and video hardware.
*** This bug has been marked as a duplicate of 17882 ***