From Bugzilla Helper: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Description of problem: I just installed the downloadable version of RH 7.2 and added a user with the username of drc (adduser drc) and then I gave that user a password (passwd drc). After loggin in to the new normal user account I was able to use the reboot command to reboot the system. I think this is a serious security problem. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Login as normal user "drc" 2. Issue "reboot" 3. System reboots Actual Results: The server reboots when normal users use the reboot command. Expected Results: Only root has access to reboot the system. Additional info:
It's not a bug, it's a feature. A user at the console could also pull the plug. :) Hint: See output of "which reboot".
This is a very critical bug! I just tested logging into a RH7.2 (+latest errata) box as a normal user and the machine rebooted after I issued the 'reboot' command. 'w' showed my TTY was pts/4 before I 'reboot'ed.
Yes... this IS A SERIOUS BUG !!!... I lost 2 days of work (chip simulation) because another regular user re-booted the system !!!!! Igor
$ ll `which reboot` | cut -b57- /usr/bin/reboot -> consolehelper As I wrote before, this is not a bug. This is even documented in the "The Official Red Hat Linux Customization Guide" which is shipped on the docs CD or online here: https://www.redhat.com/docs/manuals/linux/RHL-7.2-Manual/custom-guide/console-access.html#S1-ACCESS-CONSOLE-CTRLALTDEL https://www.redhat.com/docs/manuals/linux/RHL-7.2-Manual/custom-guide/s1-access-console-program.html
This same problem also exists for the "halt", "v4l-conf" and "poweroff". If a user stays logged into the console, they can (days later) ssh into the machine from remote as that same user and execute any of these commands. If you uncomment the line: auth required /lib/security/pam_stack.so service=system-auth from /etc/pam.d/halt It "fixes" the problem. I don't really care to argue that this is or is not a bug. It is like so many things in RedHat's distro..."on by default". You guys did so well with that problem in 7.2, but you need to fix the loose ends like this. I'm not suggesting you remove the consolehelper system, I am just suggesting you reverse this behavior by default. As an example of why this is silly, we are now forced to "fix" this on all 7.2 machines at our organization...something on the order of 200 machines. Nobody wants to lose work because of an interface change like this.
A user logged in at the console can always reboot the system by pressing Ctrl+Alt+Del, or hitting the power switch. Allowing the user to reboot the system in an orderly way is preferable. Allowing a user to use removable media devices or video display devices) is also preferable when the user has physical access to the diskette drive and video hardware. *** This bug has been marked as a duplicate of 17882 ***