Bug 618623 - shutdown allows local non-privileged user to halt system
Summary: shutdown allows local non-privileged user to halt system
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: upstart (Show other bugs)
(Show other bugs)
Version: 13
Hardware: All Linux
low
medium
Target Milestone: ---
Assignee: Casey Dahlin
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-07-27 12:12 UTC by Petr Pisar
Modified: 2014-06-18 08:47 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-07-27 13:52:16 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Petr Pisar 2010-07-27 12:12:23 UTC
Running /sbin/shutdown -h 0 as a non-root user proceeds system to shutdown sequence resulting in power off.

$ rpm -qf $(type -p shutdown)
upstart-0.6.5-5.fc13.x86_64

This is undesired, insecure, abusive and against-all-customs behavior. Expected result is error message about refused attempt to shutdown by non-superuser.

Current default configuration is really one-user system centric and overviews other use cases.

I'd like to see more explicit configuration instead of such an Ubuntu style. E.g. adding users to supplementary `power' group.

Comment 1 Petr Lautrbach 2010-07-27 13:26:42 UTC
I'm not able to reproduce it. /sbin/shutdown needs root privileges.

[test@f13 ~]$ rpm -q upstart
upstart-0.6.5-5.fc13.x86_64

[test@f13 ~]$ rpm -qV upstart

[test@f13 ~]$ ls -l /sbin/shutdown
-rwxr-xr-x. 1 root root 57920 May  4 22:31 /sbin/shutdown

[test@f13 ~]$ /sbin/shutdown -h 0
shutdown: Need to be root

I've tried it on serial console, virtual terminal, X terminal.

Please provide more information or reproducer. Otherwise it will be close as NOTABUG.

Comment 2 Petr Pisar 2010-07-27 13:49:14 UTC
Some bug in reality probably. Two of us have been able to reproduce it once a time, but not anymore. Feel free to close this report.


Note You need to log in before you can comment on or make changes to this bug.