PDA

View Full Version : shutdown- permissions problem



jonolumb
2005-11-10, 11:18
I am trying to shutdown my Fedora Core 4 server using a plugin that runs remote scripts. However, I have some problems with permissions.
In Fedora, the shutdown script is in /sbin
The command I pass is su -c "/sbin/shutdown now"
or su -c "/sbin/shutdown -k now" for testing!!!
However, this command requires for you to be logged in as root. This is no good from slimserver.
How can I run the shell script below without root permissions.

#!/bin/bash
su -c "/sbin/shutdown now"

Thanks
Jono

MrC
2005-11-10, 11:46
While you can run shutdown from within a setuid script, you do not want to create a setuid script for security reasons.

What you can use is a script that contains


sudo /sbin/shutdown now

and add a line to /etc/sudoers that allows slimserver to run the shutdown command.

jonolumb
2005-11-11, 02:10
While you can run shutdown from within a setuid script, you do not want to create a setuid script for security reasons.

What you can use is a script that contains


sudo /sbin/shutdown now

and add a line to /etc/sudoers that allows slimserver to run the shutdown command.
thats what I was looking for!
Thanks
Jono

jonolumb
2005-11-11, 08:53
ok i have run into difficulties again
I have edited the sudoers file using the visudo command.
This is it:

# See the sudoers man page for the details on how to write a sudoers file.
#

# Host alias specification

# User alias specification
User_Alias TRUSTED = slimserver
# Cmnd alias specification
Cmnd_Alias SHUTDOWN = /sbin/./shutdown -k now
# Defaults specification

# Runas alias specification

# User privilege specification
root ALL=(ALL) ALL
TRUSTED ALL=SHUTDOWN
# Uncomment to allow people in group wheel to run all commands
# %wheel ALL=(ALL) ALL

# Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL


The script I run is


#!/bin/sh
/sbin/./shutdown -k now


The console tells me-
shutdown: you must be root to do that!

From this I gather- that the script file was exectued correctly, that the shutdown command was run, but was then blocked because slimserver is still not recognised as being allowed to perform this command.
Any guidance?
Thanks
Jono

WildCoder
2005-11-11, 09:35
I'm not all familiar with sudo but maybe you need to make your script like this:



#!/bin/sh
sudo /sbin/./shutdown -k now


-WildCoder

MrC
2005-11-11, 10:30
You can replace all the lines you added with this single line:

slimserver localhost=NOPASSWD: /sbin/shutdown -k now

Be sure that the command being executed is exactly:

"/sbin/shutdown -k now"

If it is not, use the "/sbin/./shutdown -k now" that you had. Sudo matches the exact command string.

And you must use the sudo command in your script, as mentioned by WildCoder.

jonolumb
2005-11-11, 11:10
OK- all that makes sense and I understand the sudo system much better now- however, when I execute
"sudo /sbin/shutdown -k now" when I am user "slimserver", I am still prompted for a password!
I can't understand why!!? Theres even syntax in the sudoers file so that a password is not needed.
Thanks
Jono

max.spicer
2005-11-13, 08:36
Please post your latest sudoers file and the exact command that you are running.

Max


OK- all that makes sense and I understand the sudo system much better now- however, when I execute
"sudo /sbin/shutdown -k now" when I am user "slimserver", I am still prompted for a password!
I can't understand why!!? Theres even syntax in the sudoers file so that a password is not needed.
Thanks
Jono

jonolumb
2005-11-14, 02:03
ok - but I have to wait till this evening.
Cheers
Jono

jonolumb
2005-11-14, 11:05
Ok heres the command that is run.


#!/bin/sh
sudo /sbin/shutdown -k now


and here is the sudoers file


# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#

# Host alias specification

# User alias specification

# Cmnd alias specification

# Defaults specification

# Runas alias specification

# User privilege specification
root ALL=(ALL) ALL
slimserver localhost=NOPASSWD:/sbin/shutdown -k now
# Uncomment to allow people in group wheel to run all commands
# %wheel ALL=(ALL) ALL

"/etc/sudoers.tmp" 30L, 619C

thanks
jono

MrC
2005-11-14, 12:12
You're missing a space:
slimserver localhost=NOPASSWD:/sbin/shutdown -k now

should be (quoted space for clarity - do not put quotes in):
slimserver localhost=NOPASSWD:" "/sbin/shutdown -k now

jonolumb
2005-11-14, 15:07
hmmm... thanks for the suggestion- I've changed the syntax but it still prompts for password!!!??
Cant work this out
Anybody?

MrC
2005-11-14, 15:22
I'm sorry. I should have caught this earlier.

You don't want to place the command line arguments in the sudo file - just the command:


slimserver localhost=NOPASSWD:" "/sbin/shutdown

jonolumb
2005-11-15, 02:08
ok - i will have another go tonight
Thanks
Jonathan

jonolumb
2005-11-15, 10:18
:(
I'm afraid I'm still getting the prompt
This is a real pain !!!
Thanks for the help anyway :)
Jono

MrC
2005-11-15, 11:08
Ok, then, lets take another approach that will be easier.

If you are ok with any local user being able to shutdown your system (and unless you've changed things, they can anyway), just change the shutdown command to be setuid. From a root shell, issue the command:

chmod +s /sbin/shutdown

Now, anyone can run shutdown.

max.spicer
2005-11-15, 15:00
You're not. The space is optional. You don't need the "-k now" bit though.

Max


You're missing a space:
slimserver localhost=NOPASSWD:/sbin/shutdown -k now

should be (quoted space for clarity - do not put quotes in):
slimserver localhost=NOPASSWD:" "/sbin/shutdown -k now

max.spicer
2005-11-15, 15:04
My hunch here is that the localhost line is causing you problems. Try changing it to 127.0.0.1, or just to ALL. I doubt you're sharing your sudoers file between multiple computers, so saying ALL won't be any less secure.

slimserver ALL=NOPASSWD:/sbin/shutdown

Are you sure you're running as the sure slimserver, by the way? Before you try typing "sudo", type "id". What does it say? Also, what does "sudo -l" return? Apologies if I'm being patronising - I don't know what your level of linux is.

Max


Ok heres the command that is run.


#!/bin/sh
sudo /sbin/shutdown -k now


and here is the sudoers file


# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#

# Host alias specification

# User alias specification

# Cmnd alias specification

# Defaults specification

# Runas alias specification

# User privilege specification
root ALL=(ALL) ALL
slimserver localhost=NOPASSWD:/sbin/shutdown -k now
# Uncomment to allow people in group wheel to run all commands
# %wheel ALL=(ALL) ALL

"/etc/sudoers.tmp" 30L, 619C

thanks
jono

jonolumb
2005-11-17, 06:49
Are you sure you're running as the sure slimserver, by the way? Before you try typing "sudo", type "id". What does it say? Also, what does "sudo -l" return? Apologies if I'm being patronising - I don't know what your level of linux is.
you are certainly not wrong to patronise me- I know a fair amount of linux but very little about sudo.
I'll check up on the "id" procedure when I get back home.
Thanks for your contributions- if this doesnt work, I'll try MrC's suggestion. I'm not fussed about giving all users shutdown priveleges.
Jono