| 1 |
On Wed, Jun 19, 2019 at 3:19 PM Ian Zimmerman <itz@××××××××××××.org> wrote: |
| 2 |
> |
| 3 |
> On 2019-06-19 15:10, Jack wrote: |
| 4 |
> |
| 5 |
> > Won't "sudo halt" work? I frequently do "sudo reboor" or just |
| 6 |
> > "reboot" from a root shell. (I am also systemd free.) |
| 7 |
> |
| 8 |
> I would prefer to avoid sudo for security reasons (to get root I |
| 9 |
> normally login on an otherwise unused virtual console). But yes, I'm |
| 10 |
> pretty sure that would work. |
| 11 |
|
| 12 |
This certainly isn't the only way to accomplish your goal, but this is |
| 13 |
a pretty typical use of sudo. |
| 14 |
|
| 15 |
Note that sudo isn't limited to just giving users all-or-nothing |
| 16 |
access to run commands as root. You can give a particular user the |
| 17 |
ability to run a particular command line as root as well. So, you |
| 18 |
could give a user the ability to run shutdown/etc as root, perhaps |
| 19 |
with a specific set of parameters, and possibly without entering a |
| 20 |
password. The user wouldn't necessarily be able to do anything else. |
| 21 |
So, if that user were compromised it could only be used to shut down |
| 22 |
the system. That of course can be used as a DOS, but the same issue |
| 23 |
applies to your proposed solution. |
| 24 |
|
| 25 |
These days there are other ways to do the same - I'm sure you can do |
| 26 |
something like this with polkit if you're using a PID1 that can accept |
| 27 |
messages over dbus. I'm not sure if POSIX capabilities would be of |
| 28 |
use here - maybe to power off but I'm not sure they're granular enough |
| 29 |
to send signals to PID 1 and do an orderly shutdown. |
| 30 |
|
| 31 |
> |
| 32 |
> I'm also just curious what the intended prupose of the "halt" user is. |
| 33 |
|
| 34 |
My beard isn't quite that long, but I'm guessing it is more-or-less |
| 35 |
what you think it is. It just isn't fully implemented on Gentoo. I'm |
| 36 |
guessing that the default passwd file had it in there for |
| 37 |
compatibility to reserve the UID/etc. I doubt anything actually |
| 38 |
relies on these accounts these days. |
| 39 |
|
| 40 |
-- |
| 41 |
Rich |
Archives