Forbid some users to poweroff and reboot the system.

Only root is able to do that. So, don't give them root access?
 
If you give them root access they can do anything and everything.
 
SirDice said:
If you give them root access they can do anything and everything.
Click to expand...
Ok, then i have a more specified question, how can i allow the user to poweroff the system and forbid to reboot it? i have already searched throuth the login.conf and didn't find anything connected with this...
 
Yes. With sudo. You can disallow commands in the /usr/local/etc/sudoers file. Just make sure to exclude commands that allow them to get root. For example: sudo su or sudo visudo or sudo any shell on the system.
 
AlexRyshkov said:
Ok, then i have a more specified question, how can i allow the user to poweroff the system and forbid to reboot it? i have already searched throuth the login.conf and didn't find anything connected with this...
Click to expand...


Install security/doas, refer to doas(1) and doas.conf(5), then touch a /usr/local/etc/doas.conf file, with a content similar to this:

Code: 
permit nopass keepenv :wheel
deny username as root cmd reboot

This will allow members of wheel group to execute commands with elevated privileges, keeping their default environmental variables (instead of acquiring root's), and without being prompted for a password. The $user specified after 'deny' will be hold back from executing /sbin/reboot even when passing doas beforehand and returned a doas: Operation not permitted error after a failed attempt. If any of those settings is not ok fro you, just remove 'nopass', 'keepenv', replace the group, etc...

Now uninstall sudo (and use doas from this point on if this is ok for you), or edit sudoers in order to prevent the interested UID/GID from using sudo at all

If you wanted to forbid poweroff too, you could also just exclude /sbin folder from interested user's $PATH, while running doas:

Code: 
permit setenv { -ENV PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin/bin} username as root
 
AlexRyshkov said:
Yeah, but is there the way to user have root access and do not being allowed these commands?)
Click to expand...
AlexRyshkov said:
Ok, then i have a more specified question, how can i allow the user to poweroff the system and forbid to reboot it? i have already searched throuth the login.conf and didn't find anything connected with this...
Click to expand...

Add the user to the operator group with you want that to be able to use shutdown(8). :)

That will not prevent them to reboot but you can do that in the way Sensucht94 already told you.
 
security/sudo can also acomplish this. In sudo example, the access to various root commands can be fully specified; ie /sbin/shutdown -p now will only allow shutdown/poweroff. I'm not sure doas is as specific. You can also create a user shutdown group and have more control over which users can shutdown.
 
Still, despite the fact that these are all legit solutions they also ignore one very important aspect: if you don't trust someone to use the right command(s) then you shouldn't be giving them root access in the first place. Not even through some nifty tool such as Sudo or DoAs.

Security begins with applying a legit security scheme. And trying to deny a root user access to specific aspects of system management isn't one because basically it's not possible to do so (note: not even with those tools; you're not restricting the root user, you're handing limited privileged access to regular users).

I'm well aware that this may seem like nitpicking, but it's just the kind of nitpicking you have to do if you're after server security.
 
You must log in or register to reply here.
Back
Top