shutdown permission to user

lezde716

lezde716

Hi guys...

I'm new to freebsd. I want to give permission to a user only shutdown or rebooting. how do I do this. Please help.
 
depends on how you want to do that, and what desktop environment you use
Personally I use sudo

make group users, add users to this group
in sudofile (using visudo) add
Code: 
%users  ALL = (ALL) NOPASSWD: /sbin/shutdown -p now
%users  ALL = (ALL) NOPASSWD: /sbin/shutdown -r now

now users can shutdown/reboot with $ sudo sbin/shutdown -p now or $ sudo sbin/shutdown -r now
you can integrate this in your Window Manger / Desktop Environment as menu item
 
Or you can avoid using third-party applications, but then you must be a member of the operator group:
# pw group mod operator -m lezde
Check the handbook.

% shutdown -p now will work now.
 
I have a user that belongs to operator group on a FreeBSD 11.1 installation, the user is able to shutdown the system with:

Code: 
% shutdown -p now

But reboot give permission denied error
Code: 
% reboot
reboot: Operation not permitted
 
alx82 said:
But reboot give permission denied error
Click to expand...
Easily explained:

Code: 
peter@unicron:/home/peter $ ls -l /sbin/shutdown
-r-sr-xr--  2 root  operator  17288 Mar 25 11:27 /sbin/shutdown*
peter@unicron:/home/peter $ ls -l /sbin/reboot
-r-xr-xr-x  4 root  wheel  11008 Mar 25 11:27 /sbin/reboot*
The only trick being done here is that shutdown has been set up with suid (set userid bit) while it's owned by root. As a direct result anyone who executes that program will do so as root. As a precaution they set the permission bits to 554 so that only root and the operator group can execute it.

But reboot doesn't follow the same logic.

You could override this behavior by issuing # chmod 4554 /sbin/reboot && chgrp operator /sbin/reboot but I'm not too sure if that's a good idea. If other processes not owned by root rely on reboot then you could easily break things.

The other problem is that these permissions are likely going to get reset as soon as you upgrade the system.
 
I don't understand why reboot and shutdown have different permission bits and different group ownership, this is a bit counter-intuitive.
 
Can't really explain that one either. My guess is because both programs do essentially different things. Reboot can actually change your system (for example by telling it to boot a different kernel) whereas shutdown merely does just that.

It does seem a little inconsistent but even so: direct use of reboot is usually a bad idea anyway, so it's not that problematic to reserve its use only for system administrators.
 
alx82 said:
I have a user that belongs to operator group on a FreeBSD 11.1 installation, the user is able to shutdown the system with:

Code: 
% shutdown -p now

But reboot give permission denied error
Code: 
% reboot
reboot: Operation not permitted
Click to expand...

Any reason you require to use reboot? Why not shutdown -r now?
 
No special reason, I was just wondering, since I typed that command and it gave me permission denied, I used to think that the group operator was enough.
 
You must log in or register to reply here.
Back
Top