Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 618623 - shutdown allows local non-privileged user to halt system
shutdown allows local non-privileged user to halt system
Product: Fedora
Classification: Fedora
Component: upstart (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Casey Dahlin
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2010-07-27 08:12 EDT by Petr Pisar
Modified: 2014-06-18 04:47 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-07-27 09:52:16 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Petr Pisar 2010-07-27 08:12:23 EDT
Running /sbin/shutdown -h 0 as a non-root user proceeds system to shutdown sequence resulting in power off.

$ rpm -qf $(type -p shutdown)

This is undesired, insecure, abusive and against-all-customs behavior. Expected result is error message about refused attempt to shutdown by non-superuser.

Current default configuration is really one-user system centric and overviews other use cases.

I'd like to see more explicit configuration instead of such an Ubuntu style. E.g. adding users to supplementary `power' group.
Comment 1 Petr Lautrbach 2010-07-27 09:26:42 EDT
I'm not able to reproduce it. /sbin/shutdown needs root privileges.

[test@f13 ~]$ rpm -q upstart

[test@f13 ~]$ rpm -qV upstart

[test@f13 ~]$ ls -l /sbin/shutdown
-rwxr-xr-x. 1 root root 57920 May  4 22:31 /sbin/shutdown

[test@f13 ~]$ /sbin/shutdown -h 0
shutdown: Need to be root

I've tried it on serial console, virtual terminal, X terminal.

Please provide more information or reproducer. Otherwise it will be close as NOTABUG.
Comment 2 Petr Pisar 2010-07-27 09:49:14 EDT
Some bug in reality probably. Two of us have been able to reproduce it once a time, but not anymore. Feel free to close this report.

Note You need to log in before you can comment on or make changes to this bug.