ctrl-alt-delete reboot
See also Should halt call shutdown?
From: "Pedro Fonseca" <pedro.fonseca@netcabo.pt> Newsgroups: comp.os.linux.misc Subject: Re: Disableing halt/reboot/poweroff Date: Fri, 5 Oct 2001 16:22:41 +0100 References: <slrn9rrg4g.89.dhbrown@hobbes.dhbrown.net> X-MSMail-Priority: Normal "Dave Brown" <dhbrown@apm6-154.realtime.net> wrote in message news:slrn9rrg4g.89.dhbrown@hobbes.dhbrown.net... > To disable ctl-alt-del rebooting, edit /etc/inittab, commenting out the > line with "ctrlaltdel" in it. > > But, if you're interested in *security*, it starts with physical security. > If anyone can walk up to a server and use the keyboard, the server is not > secure... given physical access, a machine can be compromised. Eg., can't > prevent power-off if they can pull the plug; susceptible to rebooting from > diskette/cdrom in "rescue" mode; case not locked, pull the hard drive; etc. Absolutely right. I can't really lock the computer case in a safe box (that would be the only near 100% perfect solution to the problem), but I'm applying all the basic security measures, like password protect the BIOS setup, allow only the harddisk to boot, remove the lilo prompt, disabling CTRL-ALT-DEL and the halt command...
But... Of course you are very right: anyone can unplug the power cord from the machine! Best regards. -- ______________________________________________________________________ Pedro Fonseca (pedro.fonseca@iscte.pt) Mob.: (+351)964598357 http://www.pedrofonseca.com ADETTI/ISCTE (Instituto Superior de Ci�ncias do Trabalho e da Empresa) From - Fri Oct 5 14:47:33 2001 From: y00ns00@gmx.net (myosh) Newsgroups: comp.os.linux.misc Subject: Re: Disableing halt/reboot/poweroff Date: Fri, 05 Oct 2001 14:00:58 GMT On Fri, 5 Oct 2001 13:32:07 +0100, "Pedro Fonseca" <pedro.fonseca@netcabo.pt> wrote: > >Can anyone tell me how can I restrict the use of the halt/reboot/poweroff >comands and the ALT+CTRL+DEL key combination to the root user? > in my distro (suse) there is a file called /etc/inittab there you will find the line ca::ctrlaltdel:/sbin/shutdown -r -t 4 now (or similar) just comment this line with # and ctrl-alt-del is disabled. >server, without even having to log in, and any user whatsoever can use the >halt comand. > I wondered and tried it out. /sbin/halt says that you must be a superuser to execute it. greets myosh From - Fri Oct 5 14:47:33 2001 Newsgroups: comp.os.linux.misc From: dhbrown@apm6-154.realtime.net (Dave Brown) Subject: Re: Disableing halt/reboot/poweroff Date: 5 Oct 2001 09:34:10 -0500 X-Authenticated-User: dhbrown In article <9pk9mk$si9$1@venus.telepac.pt>, Pedro Fonseca wrote: > Can anyone tell me how can I restrict the use of the halt/reboot/poweroff > comands and the ALT+CTRL+DEL key combination to the root user? > > As it is right now, any user can pick up the keyboard and shut down the > server, without even having to log in, and any user whatsoever can use the > halt comand. To disable ctl-alt-del rebooting, edit /etc/inittab, commenting out the line with "ctrlaltdel" in it. But, if you're interested in *security*, it starts with physical security. If anyone can walk up to a server and use the keyboard, the server is not secure... given physical access, a machine can be compromised. Eg., can't prevent power-off if they can pull the plug; susceptible to rebooting from diskette/cdrom in "rescue" mode; case not locked, pull the hard drive; etc. -- Dave Brown Austin, TX From - Fri Oct 5 14:47:33 2001 From: "Pedro Fonseca" <pedro.fonseca@netcabo.pt> Newsgroups: comp.os.linux.misc Subject: Re: Disableing halt/reboot/poweroff Date: Fri, 5 Oct 2001 16:15:11 +0100 X-MSMail-Priority: Normal "myosh" <y00ns00@gmx.net> wrote in message news:3bbdbc3d.5388867@news.t-online.de... > in my distro (suse) there is a file called /etc/inittab > there you will find the line > ca::ctrlaltdel:/sbin/shutdown -r -t 4 now (or similar) > > just comment this line with # and ctrl-alt-del is disabled. OK! Just done this and CTRL-ALT-DEL is disabled. Thanks! > I wondered and tried it out. /sbin/halt says that you must be a > superuser to execute it. You are absolutely right! The halt command man page states that one must be the superuser to successfully execute that command. But, despite what the man page says, an unpriviledged account can shutdown the server with that command! I'm sure because I've just tried it again... My distro is Red Hat 7.1. Any thoughts on how I disable unpriviledged accounts access to this command? Perhaps chmod halt to 700? But wouldn't this cause other problems? -- ______________________________________________________________________ Pedro Fonseca (pedro.fonseca@iscte.pt) Mob.: (+351)964598357 http://www.pedrofonseca.com ADETTI/ISCTE (Instituto Superior de Ci�ncias do Trabalho e da Empresa) From - Fri Oct 5 14:47:33 2001 From: bob@this-is.invalid (Bob Hauck) Newsgroups: comp.os.linux.misc Subject: Re: Disableing halt/reboot/poweroff Date: Fri, 05 Oct 2001 16:43:42 GMT On Fri, 5 Oct 2001 16:15:11 +0100, Pedro Fonseca <pedro.fonseca@netcabo.pt> wrote: >You are absolutely right! The halt command man page states that one must be >the superuser to successfully execute that command. But, despite what the >man page says, an unpriviledged account can shutdown the server with that >command! Does your distro make it SUID? Just changing perms to 700 ought to fix that. -- -| Bob Hauck -| Codem Systems, Inc. -| http://www.codem.com/ From - Fri Oct 5 14:47:34 2001 From: "Vladimir Florinski" <vflorins@citrus.ucr.edu> Newsgroups: comp.os.linux.misc Subject: Re: Disableing halt/reboot/poweroff Date: Fri, 05 Oct 2001 11:00:24 -0700 In article <slrn9rrops.4g.bob@hauck.codem.com>, "Bob Hauck" <bob@this-is.invalid> wrote: > On Fri, 5 Oct 2001 16:15:11 +0100, Pedro Fonseca > <pedro.fonseca@netcabo.pt> wrote: > >>You are absolutely right! The halt command man page states that one must >>be the superuser to successfully execute that command. But, despite what >>the man page says, an unpriviledged account can shutdown the server with >>that command! > > Does your distro make it SUID? Just changing perms to 700 ought to fix > that. No, this is considerably more complex than you think. First of all, there are two "halt" or "poweroff" commands. One is in /sbin and the other is in /usr/bin. The /sbin/halt can indeed only be executed by root. The other is a symbolic link to the consolehelper program which checks if a user is authorised to run the real halt. Access control is maintained through PAM, specifically, see the files in /etc/pam.d/ and /etc/security/console.apps/ -- Vladimir From - Fri Oct 5 14:47:34 2001 From: Markku Kolkka <markku.kolkka@koti.tpo.fi> Newsgroups: comp.os.linux.misc Subject: Re: Disableing halt/reboot/poweroff Date: 05 Oct 2001 21:22:11 +0300 "Pedro Fonseca" <pedro.fonseca@netcabo.pt> writes: > "myosh" <y00ns00@gmx.net> wrote in message > > I wondered and tried it out. /sbin/halt says that you must be a > > superuser to execute it. Yes, but RH has /usr/bin/halt which is a symlink to /usr/bin/consolehelper. consolehelper allows regular users to perform certain privileged commands, e.g poweroff or reboot. > My distro is Red Hat > 7.1. Any thoughts on how I disable unpriviledged accounts access to this > command? Edit /etc/pam.d/halt (see man consolehelper and PAM docs). -- Markku Kolkka markku.kolkka@iki.fi From - Fri Oct 5 14:47:34 2001 From: y00ns00@gmx.net (myosh) Newsgroups: comp.os.linux.misc Subject: Re: Disableing halt/reboot/poweroff Date: Fri, 05 Oct 2001 18:35:47 GMT On 05 Oct 2001 21:22:11 +0300, Markku Kolkka <markku.kolkka@koti.tpo.fi> wrote: >Yes, but RH has /usr/bin/halt which is a symlink to >/usr/bin/consolehelper. consolehelper allows regular users to perform >certain privileged commands, e.g poweroff or reboot. > i see. thx for the info. Seems to me being a possible security leak ?? Something like sudo, i guess. Anyway, for all who are interested in security : http://www.sans.org/top20.htm greets myosh
Got something to add? Send me email.
(OLDER) <- More Stuff -> (NEWER) (NEWEST)
Printer Friendly Version
-> -> ctrl-alt-delete reboot ––>Re: Disableinghalt/reboot/poweroff
Increase ad revenue 50-250% with Ezoic
Inexpensive and informative Apple related e-books:
Take Control of iCloud
Are Your Bits Flipped?
Photos for Mac: A Take Control Crash Course
Take Control of Apple Mail, Third Edition
Take Control of Upgrading to Yosemite
Printer Friendly Version
Have you tried Searching this site?
Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates
This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.
Contact us
Printer Friendly Version