This may seem like a stupid issue - why SHOULDN'T the average user be able to turn off his/her own machine?
The answer is that Linux is inherently designed as a multiuser system. It would generally be a bad thing if any one user would be allowed to spontaneously turn off the computer while other users are working. Just imagine what hell would ensue if your webserver were taken down by some insignificant user halfway across the world.
Of course, it does seem a little overprotective if the user is physically sitting at the machine, since he/she could just reach over and hit the power button (don't do that!!!).
There are several schools of thought concerning how to allow a user to shut down a machine properly. The first method seems somewhat useless to me, but I put it here for completeness.
shutdown.allow
There is a file in /etc called shutdown.allow (and if there isn't, root can add it). This file contains a list of users (1 per line) who are allowed to shutdown the computer.
This doesn't mean that these users can invoke the shutdown (or reboot or halt) command(s). Instead, it means that an authorized user can shut down the computer by pressing ctrl+alt+del.
In order for this to occur, the ctrl+alt+del key sequence must be trapped in the /etc/inittab file. The necessary line in inittab is
ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
When ctrl+alt+del is pressed, init checks if there is an authorized user (listed in /etc/shutdown.allow) logged into any virtual console, and proceeds to shutdown if this is true.
Of course, if I'm running X windows, then generally the window manager will trap ctrl+alt+del for itself, so this won't work anymore.
sudo
The program sudo allows normal users to execute certain root-only commands. Which users are authorized to run which commands is specified in the /etc/sudoers file. This should only be edited with the command visudo.
For example, suppose I wanted to add a group of users who are allowed to shut down the machine. So I first want to add a group called "shutdown" (run these commands while root)
groupadd shutdown
Then I need to edit the /etc/group file to add users to the "shutdown" group. I just tack the usernames at the end of the shutdown line, separated by commas, e.g.
shutdown:x:407:user1,user2,...
Whatever users I put there will be able to shut down the computer (so choose wisely). Now I need to configure sudo to allow members of the "shutdown" group to actually invoke the assorted shutdown commands provided in linux. Run visudo and add the following lines
%shutdown ALL=(root) NOPASSWD: /sbin/reboot
%shutdown ALL=(root) NOPASSWD: /sbin/halt
%shutdown ALL=(root) NOPASSWD: /sbin/shutdown
This allows the "shutdown" group to run /sbin/reboot, /sbin/halt, and /sbin/shutdown AS IF THEY WERE ROOT. The only caveat is that the users must run the commands with the command sudo in front, e.g.
sudo /sbin/halt
This is always a bit of a pain (and users never remember), so I can create the following script called "/usr/bin/reboot" (and similar scripts for halt and shutdown)
#! /bin/sh
sudo /sbin/reboot $*
Remember to make these scripts executable! To make this slightly more secure, I might want to change the ownership of these scripts to the "shutdown" group
chgrp shutdown /usr/bin/reboot /usr/bin/halt /usr/bin/shutdown
and then make them executable only for the group "shutdown"
chmod g+x /usr/bin/reboot /usr/bin/halt /usr/bin/shutdown
KDE shutdown
If you are running kdm (the kde display manager - e.g. graphical login) then the shutdown behavior can be modified in "Control Panel" (in "Administrator Mode" of course). If you are starting KDE manually (using startx or startkde) then you will have to resort to the previous "sudo" solution (and probably add a shortcut on the desktop to one of those scripts).
XFCE4 shutdown
If you are using xfce4 then you will need to configure a few items in order to use the built-in "Reboot computer"/"Turn off computer" options available when you are logging out.
CHANGE - SEE BELOW FOR XFCE 4.2
XFCE 4.0
First, all users who are allowed to shut down the machine from xfce4 must be listed in the /etc/xfce4/shutdown.allow file (syntax is just like in the /etc/shutdown.allow file - see above). Second, the file permissions on the xfce4-shutdown program must be modified. This file is usually in /usr/sbin/xfce4-shutdown, so I would type
chmod u+s /usr/sbin/xfce4-shutdown
the "u+s" argument means that the command xfce4-shutdown will run as though the owner (probably root) initiated it, regardless of which user actually called the program.
This should be enough to shut down the computer from xfce4.
Instructions for XFCE 4.2 The game has changed for xfce 4.2. Now you must instead allow sudo access to a program called /usr/sbin/xfsm-shutdown-helper (note: this may also be located in /usr/local/libexec/ - just use the "locate" command to find xfsm-shutdown-helper).
Using the same kind of ideas presented above in the sudo method of shutdown, I add the following line to /etc/sudoers file (using visudo)
%shutdown ALL=(root) NOPASSWD: /usr/sbin/xfsm-shutdown-helper
This allows the "shutdown" group to shutdown the machine.
This page has been visited 20,481 (19 today) times since January 13, 2005
Source http://www.spencerstirling.com
No comments:
Post a Comment