APLawrence.com - Resources for Unix and Linux Systems, Bloggers and the self-employed

ctrl-alt-delete reboot

See also Should halt call shutdown?




From: "Pedro Fonseca" <pedro.fonseca@netcabo.pt>
Newsgroups: comp.os.linux.misc
Subject: Re: Disableing halt/reboot/poweroff
Date: Fri, 5 Oct 2001 16:22:41 +0100
References: <slrn9rrg4g.89.dhbrown@hobbes.dhbrown.net> 
X-MSMail-Priority: Normal

"Dave Brown" <dhbrown@apm6-154.realtime.net> wrote in message
news:slrn9rrg4g.89.dhbrown@hobbes.dhbrown.net...
> To disable ctl-alt-del rebooting, edit /etc/inittab, commenting out the
> line with "ctrlaltdel" in it.
>
> But, if you're interested in *security*, it starts with physical security.
> If anyone can walk up to a server and use the keyboard, the server is not
> secure... given physical access, a machine can be compromised.  Eg., can't
> prevent power-off if they can pull the plug; susceptible to rebooting from
> diskette/cdrom in "rescue" mode; case not locked, pull the hard drive;
etc.

Absolutely right. I can't really lock the computer case in a safe box (that
would be the only near 100% perfect solution to the problem), but I'm
applying all the basic security measures, like password protect the BIOS
setup, allow only the harddisk to boot, remove the lilo prompt, disabling
CTRL-ALT-DEL and the halt command...




But... Of course you are very right: anyone can unplug the power cord from
the machine!
Best regards.

--
______________________________________________________________________
Pedro Fonseca (pedro.fonseca@iscte.pt)
Mob.: (+351)964598357
http://www.pedrofonseca.com
ADETTI/ISCTE (Instituto Superior de Ci�ncias do Trabalho e da Empresa)


From - Fri Oct  5 14:47:33 2001
From: y00ns00@gmx.net (myosh)
Newsgroups: comp.os.linux.misc
Subject: Re: Disableing halt/reboot/poweroff
Date: Fri, 05 Oct 2001 14:00:58 GMT

On Fri, 5 Oct 2001 13:32:07 +0100, "Pedro Fonseca"
<pedro.fonseca@netcabo.pt> wrote:
>
>Can anyone tell me how can I restrict the use of the halt/reboot/poweroff
>comands and the ALT+CTRL+DEL key combination to the root user?
>

in my distro (suse) there is a file called /etc/inittab


there you will find the line

ca::ctrlaltdel:/sbin/shutdown -r -t 4 now (or similar)

just comment this line with # and ctrl-alt-del is disabled.

>server, without even having to log in, and any user whatsoever can use the
>halt comand.
>

I wondered and tried it out. /sbin/halt says that you must be a
superuser to execute it.

greets

myosh
From - Fri Oct  5 14:47:33 2001
Newsgroups: comp.os.linux.misc
From: dhbrown@apm6-154.realtime.net (Dave Brown)
Subject: Re: Disableing halt/reboot/poweroff
Date: 5 Oct 2001 09:34:10 -0500
X-Authenticated-User: dhbrown

In article <9pk9mk$si9$1@venus.telepac.pt>, Pedro Fonseca wrote:
> Can anyone tell me how can I restrict the use of the halt/reboot/poweroff
> comands and the ALT+CTRL+DEL key combination to the root user?
> 
> As it is right now, any user can pick up the keyboard and shut down the
> server, without even having to log in, and any user whatsoever can use the
> halt comand.

To disable ctl-alt-del rebooting, edit /etc/inittab, commenting out the 
line with "ctrlaltdel" in it.

But, if you're interested in *security*, it starts with physical security.
If anyone can walk up to a server and use the keyboard, the server is not 
secure... given physical access, a machine can be compromised.  Eg., can't 
prevent power-off if they can pull the plug; susceptible to rebooting from 
diskette/cdrom in "rescue" mode; case not locked, pull the hard drive; etc. 

-- 
Dave Brown  Austin, TX
From - Fri Oct  5 14:47:33 2001
From: "Pedro Fonseca" <pedro.fonseca@netcabo.pt>
Newsgroups: comp.os.linux.misc
Subject: Re: Disableing halt/reboot/poweroff
Date: Fri, 5 Oct 2001 16:15:11 +0100
X-MSMail-Priority: Normal

"myosh" <y00ns00@gmx.net> wrote in message
news:3bbdbc3d.5388867@news.t-online.de...
> in my distro (suse) there is a file called /etc/inittab
> there you will find the line
> ca::ctrlaltdel:/sbin/shutdown -r -t 4 now (or similar)
>
> just comment this line with # and ctrl-alt-del is disabled.

OK! Just done this and CTRL-ALT-DEL is disabled. Thanks!

> I wondered and tried it out. /sbin/halt says that you must be a
> superuser to execute it.

You are absolutely right! The halt command man page states that one must be
the superuser to successfully execute that command. But, despite what the
man page says, an unpriviledged account can shutdown the server with that
command! I'm sure because I've just tried it again... My distro is Red Hat
7.1. Any thoughts on how I disable unpriviledged accounts access to this
command? Perhaps chmod halt to 700? But wouldn't this cause other problems?

--
______________________________________________________________________
Pedro Fonseca (pedro.fonseca@iscte.pt)
Mob.: (+351)964598357
http://www.pedrofonseca.com
ADETTI/ISCTE (Instituto Superior de Ci�ncias do Trabalho e da Empresa)


From - Fri Oct  5 14:47:33 2001
From: bob@this-is.invalid (Bob Hauck)
Newsgroups: comp.os.linux.misc
Subject: Re: Disableing halt/reboot/poweroff
Date: Fri, 05 Oct 2001 16:43:42 GMT

On Fri, 5 Oct 2001 16:15:11 +0100, Pedro Fonseca <pedro.fonseca@netcabo.pt>
wrote:

>You are absolutely right! The halt command man page states that one must be
>the superuser to successfully execute that command. But, despite what the
>man page says, an unpriviledged account can shutdown the server with that
>command!

Does your distro make it SUID?  Just changing perms to 700 ought to fix 
that.

-- 
 -| Bob Hauck
 -| Codem Systems, Inc.
 -| http://www.codem.com/
From - Fri Oct  5 14:47:34 2001
From: "Vladimir Florinski" <vflorins@citrus.ucr.edu>
Newsgroups: comp.os.linux.misc
Subject: Re: Disableing halt/reboot/poweroff
Date: Fri, 05 Oct 2001 11:00:24 -0700

In article <slrn9rrops.4g.bob@hauck.codem.com>, "Bob Hauck"
<bob@this-is.invalid> wrote:

> On Fri, 5 Oct 2001 16:15:11 +0100, Pedro Fonseca
> <pedro.fonseca@netcabo.pt> wrote:
> 
>>You are absolutely right! The halt command man page states that one must
>>be the superuser to successfully execute that command. But, despite what
>>the man page says, an unpriviledged account can shutdown the server with
>>that command!
> 
> Does your distro make it SUID?  Just changing perms to 700 ought to fix
> that.

No, this is considerably more complex than you think. First of all, there
are two "halt" or "poweroff" commands. One is in /sbin and the other is in
/usr/bin. The /sbin/halt can indeed only be executed by root. The other is
a symbolic link to the consolehelper program which checks if a user is
authorised to run the real halt. Access control is maintained through PAM,
specifically, see the files in /etc/pam.d/ and /etc/security/console.apps/

-- 
Vladimir
From - Fri Oct  5 14:47:34 2001
From: Markku Kolkka <markku.kolkka@koti.tpo.fi>
Newsgroups: comp.os.linux.misc
Subject: Re: Disableing halt/reboot/poweroff
Date: 05 Oct 2001 21:22:11 +0300

"Pedro Fonseca" <pedro.fonseca@netcabo.pt> writes:
> "myosh" <y00ns00@gmx.net> wrote in message
> > I wondered and tried it out. /sbin/halt says that you must be a
> > superuser to execute it.

Yes, but RH has /usr/bin/halt which is a symlink to
/usr/bin/consolehelper. consolehelper allows regular users to perform
certain privileged commands, e.g poweroff or reboot.

> My distro is Red Hat
> 7.1. Any thoughts on how I disable unpriviledged accounts access to this
> command?

Edit /etc/pam.d/halt (see man consolehelper and PAM docs).

-- 
        Markku Kolkka
        markku.kolkka@iki.fi
From - Fri Oct  5 14:47:34 2001
From: y00ns00@gmx.net (myosh)
Newsgroups: comp.os.linux.misc
Subject: Re: Disableing halt/reboot/poweroff
Date: Fri, 05 Oct 2001 18:35:47 GMT

On 05 Oct 2001 21:22:11 +0300, Markku Kolkka
<markku.kolkka@koti.tpo.fi> wrote:

>Yes, but RH has /usr/bin/halt which is a symlink to
>/usr/bin/consolehelper. consolehelper allows regular users to perform
>certain privileged commands, e.g poweroff or reboot.
>

i see. thx for the info. Seems to me being a possible security leak ??
Something like sudo, i guess.

Anyway, for all who are interested in security :

http://www.sans.org/top20.htm

greets

myosh


Got something to add? Send me email.





(OLDER)    <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> -> ctrl-alt-delete reboot ––>Re: Disableinghalt/reboot/poweroff



Increase ad revenue 50-250% with Ezoic

Kerio Connect Mailserver

Kerio Samepage

Kerio Control Firewall

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us





I think it’s a new feature. Don’t tell anyone it was an accident. (Larry Wall)





This post tagged: