Get APLawrence.com by RSS(OLDER) <- More Stuff -> (NEWER) (NEWEST)
Home > News Posts > ctrl-alt-delete reboot ––>Re: Disableinghalt/reboot/poweroff
Printer Friendly Version
News Group Posts
ctrl-alt-delete reboot
See also Should halt call shutdown?
From: "Pedro Fonseca" <pedro.fonseca@netcabo.pt> Newsgroups: comp.os.linux.misc Subject: Re: Disableing halt/reboot/poweroff Date: Fri, 5 Oct 2001 16:22:41 +0100 Message-ID: <9pkjms$4pl$1@venus.telepac.pt> References: <9pk9mk$si9$1@venus.telepac.pt>
<slrn9rrg4g.89.dhbrown@hobbes.dhbrown.net> X-MSMail-Priority: Normal "Dave Brown" <dhbrown@apm6-154.realtime.net> wrote in message news:slrn9rrg4g.89.dhbrown@hobbes.dhbrown.net... > To disable ctl-alt-del rebooting, edit /etc/inittab, commenting out the > line with "ctrlaltdel" in it. > > But, if you're interested in *security*, it starts with physical security. > If anyone can walk up to a server and use the keyboard, the server is not > secure... given physical access, a machine can be compromised. Eg., can't > prevent power-off if they can pull the plug; susceptible to rebooting from > diskette/cdrom in "rescue" mode; case not locked, pull the hard drive; etc. Absolutely right. I can't really lock the computer case in a safe box (that would be the only near 100% perfect solution to the problem), but I'm applying all the basic security measures, like password protect the BIOS setup, allow only the harddisk to boot, remove the lilo prompt, disabling CTRL-ALT-DEL and the halt command...
But... Of course you are very right: anyone can unplug the power cord from the machine! Best regards. -- ______________________________________________________________________ Pedro Fonseca (pedro.fonseca@iscte.pt) Mob.: (+351)964598357 http://www.pedrofonseca.com ADETTI/ISCTE (Instituto Superior de Ci�ncias do Trabalho e da Empresa) From - Fri Oct 5 14:47:33 2001 From: y00ns00@gmx.net (myosh) Newsgroups: comp.os.linux.misc Subject: Re: Disableing halt/reboot/poweroff Date: Fri, 05 Oct 2001 14:00:58 GMT Message-ID: <3bbdbc3d.5388867@news.t-online.de> References: <9pk9mk$si9$1@venus.telepac.pt> On Fri, 5 Oct 2001 13:32:07 +0100, "Pedro Fonseca" <pedro.fonseca@netcabo.pt> wrote: > >Can anyone tell me how can I restrict the use of the halt/reboot/poweroff >comands and the ALT+CTRL+DEL key combination to the root user? > in my distro (suse) there is a file called /etc/inittab
there you will find the line ca::ctrlaltdel:/sbin/shutdown -r -t 4 now (or similar) just comment this line with # and ctrl-alt-del is disabled. >server, without even having to log in, and any user whatsoever can use the >halt comand. > I wondered and tried it out. /sbin/halt says that you must be a superuser to execute it. greets myosh From - Fri Oct 5 14:47:33 2001 Newsgroups: comp.os.linux.misc From: dhbrown@apm6-154.realtime.net (Dave Brown) Subject: Re: Disableing halt/reboot/poweroff References: <9pk9mk$si9$1@venus.telepac.pt> Message-ID: <slrn9rrg4g.89.dhbrown@hobbes.dhbrown.net> Date: 5 Oct 2001 09:34:10 -0500 X-Authenticated-User: dhbrown In article <9pk9mk$si9$1@venus.telepac.pt>, Pedro Fonseca wrote: > Can anyone tell me how can I restrict the use of the halt/reboot/poweroff > comands and the ALT+CTRL+DEL key combination to the root user? > > As it is right now, any user can pick up the keyboard and shut down the > server, without even having to log in, and any user whatsoever can use the > halt comand. To disable ctl-alt-del rebooting, edit /etc/inittab, commenting out the line with "ctrlaltdel" in it. But, if you're interested in *security*, it starts with physical security. If anyone can walk up to a server and use the keyboard, the server is not secure... given physical access, a machine can be compromised. Eg., can't prevent power-off if they can pull the plug; susceptible to rebooting from diskette/cdrom in "rescue" mode; case not locked, pull the hard drive; etc. -- Dave Brown Austin, TX From - Fri Oct 5 14:47:33 2001 From: "Pedro Fonseca" <pedro.fonseca@netcabo.pt> Newsgroups: comp.os.linux.misc Subject: Re: Disableing halt/reboot/poweroff Date: Fri, 5 Oct 2001 16:15:11 +0100 Message-ID: <9pkj8f$477$1@venus.telepac.pt> References: <9pk9mk$si9$1@venus.telepac.pt>
<slrn9rrg4g.89.dhbrown@hobbes.dhbrown.net> X-MSMail-Priority: Normal "myosh" <y00ns00@gmx.net> wrote in message news:3bbdbc3d.5388867@news.t-online.de... > in my distro (suse) there is a file called /etc/inittab > there you will find the line > ca::ctrlaltdel:/sbin/shutdown -r -t 4 now (or similar) > > just comment this line with # and ctrl-alt-del is disabled. OK! Just done this and CTRL-ALT-DEL is disabled. Thanks! > I wondered and tried it out. /sbin/halt says that you must be a > superuser to execute it. You are absolutely right! The halt command man page states that one must be the superuser to successfully execute that command. But, despite what the man page says, an unpriviledged account can shutdown the server with that command! I'm sure because I've just tried it again... My distro is Red Hat 7.1. Any thoughts on how I disable unpriviledged accounts access to this command? Perhaps chmod halt to 700? But wouldn't this cause other problems? -- ______________________________________________________________________ Pedro Fonseca (pedro.fonseca@iscte.pt) Mob.: (+351)964598357 http://www.pedrofonseca.com ADETTI/ISCTE (Instituto Superior de Ci�ncias do Trabalho e da Empresa) From - Fri Oct 5 14:47:33 2001 From: bob@this-is.invalid (Bob Hauck) Newsgroups: comp.os.linux.misc Subject: Re: Disableing halt/reboot/poweroff References: <9pk9mk$si9$1@venus.telepac.pt>
<slrn9rrg4g.89.dhbrown@hobbes.dhbrown.net>
<9pkj8f$477$1@venus.telepac.pt> Message-Id: <slrn9rrops.4g.bob@hauck.codem.com> Date: Fri, 05 Oct 2001 16:43:42 GMT On Fri, 5 Oct 2001 16:15:11 +0100, Pedro Fonseca <pedro.fonseca@netcabo.pt> wrote: >You are absolutely right! The halt command man page states that one must be >the superuser to successfully execute that command. But, despite what the >man page says, an unpriviledged account can shutdown the server with that >command! Does your distro make it SUID? Just changing perms to 700 ought to fix that. -- -| Bob Hauck -| Codem Systems, Inc. -| http://www.codem.com/ From - Fri Oct 5 14:47:34 2001 From: "Vladimir Florinski" <vflorins@citrus.ucr.edu> Newsgroups: comp.os.linux.misc Subject: Re: Disableing halt/reboot/poweroff Date: Fri, 05 Oct 2001 11:00:24 -0700 Message-ID: <9pksnc$eub$1@glue.ucr.edu> References: <9pk9mk$si9$1@venus.telepac.pt>
<slrn9rrg4g.89.dhbrown@hobbes.dhbrown.net>
<9pkj8f$477$1@venus.telepac.pt>
<slrn9rrops.4g.bob@hauck.codem.com> In article <slrn9rrops.4g.bob@hauck.codem.com>, "Bob Hauck" <bob@this-is.invalid> wrote: > On Fri, 5 Oct 2001 16:15:11 +0100, Pedro Fonseca > <pedro.fonseca@netcabo.pt> wrote: > >>You are absolutely right! The halt command man page states that one must >>be the superuser to successfully execute that command. But, despite what >>the man page says, an unpriviledged account can shutdown the server with >>that command! > > Does your distro make it SUID? Just changing perms to 700 ought to fix > that. No, this is considerably more complex than you think. First of all, there are two "halt" or "poweroff" commands. One is in /sbin and the other is in /usr/bin. The /sbin/halt can indeed only be executed by root. The other is a symbolic link to the consolehelper program which checks if a user is authorised to run the real halt. Access control is maintained through PAM, specifically, see the files in /etc/pam.d/ and /etc/security/console.apps/ -- Vladimir From - Fri Oct 5 14:47:34 2001 From: Markku Kolkka <markku.kolkka@koti.tpo.fi> Newsgroups: comp.os.linux.misc Subject: Re: Disableing halt/reboot/poweroff Date: 05 Oct 2001 21:22:11 +0300 Message-ID: <m38zeq7xrg.fsf@localhost.localdomain> References: <9pk9mk$si9$1@venus.telepac.pt>
<slrn9rrg4g.89.dhbrown@hobbes.dhbrown.net>
<9pkj8f$477$1@venus.telepac.pt> "Pedro Fonseca" <pedro.fonseca@netcabo.pt> writes: > "myosh" <y00ns00@gmx.net> wrote in message > > I wondered and tried it out. /sbin/halt says that you must be a > > superuser to execute it. Yes, but RH has /usr/bin/halt which is a symlink to /usr/bin/consolehelper. consolehelper allows regular users to perform certain privileged commands, e.g poweroff or reboot. > My distro is Red Hat > 7.1. Any thoughts on how I disable unpriviledged accounts access to this > command? Edit /etc/pam.d/halt (see man consolehelper and PAM docs). -- Markku Kolkka markku.kolkka@iki.fi From - Fri Oct 5 14:47:34 2001 From: y00ns00@gmx.net (myosh) Newsgroups: comp.os.linux.misc Subject: Re: Disableing halt/reboot/poweroff Date: Fri, 05 Oct 2001 18:35:47 GMT Message-ID: <3bbdfc98.2165206@news.t-online.de> References: <9pk9mk$si9$1@venus.telepac.pt>
<slrn9rrg4g.89.dhbrown@hobbes.dhbrown.net>
<9pkj8f$477$1@venus.telepac.pt>
<m38zeq7xrg.fsf@localhost.localdomain> On 05 Oct 2001 21:22:11 +0300, Markku Kolkka <markku.kolkka@koti.tpo.fi> wrote: >Yes, but RH has /usr/bin/halt which is a symlink to >/usr/bin/consolehelper. consolehelper allows regular users to perform >certain privileged commands, e.g poweroff or reboot. > i see. thx for the info. Seems to me being a possible security leak ?? Something like sudo, i guess. Anyway, for all who are interested in security : http://www.sans.org/top20.htm greets myosh
If this page was useful to you, please click to help others find it:
Your +1's can help friends, contacts, and others on the web find the best stuff when they search.
Inexpensive and informative Apple related e-books:
Take Control of Speeding Up Your Mac
Customizing Panther (Leopard version also available)
Permissions in Snow Leopard
Users &Accounts in Tiger (Leopard version also available)
Running Windows on a Mac, Fourth Edition
Have you tried Searching this site?
Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates
This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more. We appreciate comments and article submissions.
Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them. I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. I also may own stock in companies mentioned here. If you have any question, please do feel free to contact me.
Specific links that take you to pages that allow you to purchase the item I reviewed are very likely to pay me a commission. Many of the books I review were given to me by the publishers specifically for the purpose of writing a review. These gifts and referral fees do not affect my opinions; I often give bad reviews anyway.
We use Google third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies, click here.
Click here to add your comments
Don't miss responses! Subscribe to Comments by RSS or by Email
Click here to add your comments
If you want a picture to show with your comment, go get a Gravatar