Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

system shutdown by regular users

0 views
Skip to first unread message

Jochen Hartmann

unread,
Jul 24, 2001, 5:11:27 AM7/24/01
to
Hi,

I have a Unixware 7 Server running and want to give some users the ability
to shut down and/or restart the server without giving them access to the
root account. Is there a way to do this - any time I try to do init or
shutdown as a normal user I get the message "not priviliged", even though I
have given that user shutdown privilege using the account manager.

Any ideas ?

Thanks, Jochen

Chad Johnson

unread,
Jul 24, 2001, 9:53:14 AM7/24/01
to
Hope this helps.

URL: http://www.sco.com/cgi-bin/ssl_reference?106493
TA #: 106493
----------------------------------------------------------------------------
----
Creating a user that shuts down the system in SCO UNIX System V/386.

--------------------------------------------------------------------------

Keywords
C2 asroot shutdown haltsys superuser root creating user system unix
sls unx257 account login
Note
Support Level Supplement (SLS) UNX257C is now obsolete. This SLS is
no longer available through SCO.

Release
SCO UNIX System V/386 Release 3.2 Operating System Version 2.0
(with unx257 installed)
SCO Open Desktop 1.1.0 or 1.1.1
SCO UNIX System V/386 Release 3.2 Version 4.0

Problem
How do I create a user that shuts down the system in SCO UNIX.

Solution
Follow the steps outlined in asroot(ADM).

Method A-
Use the documentation for asroot(ADM).

The "shutdown" authorization allows an ordinary user with this
authorization to shut down the machine using the following command:

/tcb/bin/asroot shutdown -g0 -y

This may be preferable to the special account created below.

Method B-
1. Log in as root in System Maintenance mode.
2. Using sysadmsh Accounts->User->Create, create a user with the
name "shutdown":
Select 'NO' to Modify defaults?
Assign a password to shutdown
3. Create a file /usr/shutdown/<filename> with the following
line:
/tcb/bin/asroot shutdown -g0 -y
The shutdown time option (0 in the example above) may be
whatever
you choose. Change the permissions and owner as follows:
chmod 700 <filename>
chown shutdown <filename>
4. Using sysadmsh Accounts->User->Examine, select "Identity".
Change the login shell to "/usr/shutdown/<filename>".
Select <Keep> Home directory.
Save the changes.

Then select "Privileges".
Choose "Subsystem".
Then select "Specify".
Add the "shutdown" authorization.

5. If you want shutdown to be automatic, add the following line
to the file /etc/default/su.
ASROOTPW=NO
NOTE: The file /etc/default/su may need to be created. If this file
is not amended, the shutdown user will be prompted for their
password a second time, when they log in.
6. A user may now shut down the system by logging in as "shutdown".

--------------------------------------------------------------------------
TA106493 created on 09 May 1991 , last updated on 04 August 1997
SSL #: 480965 IT #: os965


"Jochen Hartmann" <j.har...@campus-computer-center.de> wrote in message
news:9jje47$fhu$06$1...@news.t-online.com...

Jochen Hartmann

unread,
Jul 24, 2001, 11:03:02 AM7/24/01
to
Hi,

unfortunately, the asroot command (which I used with Open Server) is no
longer available on UnixWare 7, so that didn't help. Thanks anyway, and
maybe there are other suggestions around.

Jochen


Roberto Zini

unread,
Jul 24, 2001, 12:18:50 PM7/24/01
to

Well, we don't like "asroot" under UnixWare7 :-) but we do
like alternative commands such as tfadmin, adminrole and
things.

See the following excerpts from Matt Schalit's FAQ (keep up
the good work pal !)

=== cut here === 8< ===

6.4 What are privileges?
7 Dec 1999
--------------------------------------
Users need to be granted the privilege to run important system commands
like kill, shutdown, and ifconfig. Privileges are an additional way,
besides permissions, to control who can run sensitive commands like
shutdown and ifconfig. By using privileges, root can grant the right
to run a command or group of commands, rather than give out the root
password and telling the user to use su. When a user has been granted
privileges to use a command, they execute that command as if they were
root, using that command as an argument to the tfadmin command, as in

/sbin/tfadmin shutdown -g0 -y -i6

(The system maintains a security privilege database, and it can get
corrupted. Check it by typing /sbin/initprivs and fix it with
/etc/security/tools/setpriv -x.

See also Sections (1.15) and (6.6).


6.5 What are the alternatives to su? A user needs a privilege.
25 Oct 1999
--------------------------------------
Instead of granting every right by giving out the root password and
telling someone to use su, we use the tfadmin command and the privilege
mechanism. This allows us to grant specific access.


6.6 How do I use tfadmin, adminuser, and adminrole, instead of su?
18 Dec 2000
--------------------------------------
To use privileges instead of su, we do the following:

A) Create a group of commands that a user needs, called a role,
with the adminrole command
B) Assign a user or users to that role with adminuser.
C) Then they can execute the commands using tfadmin.

This is straightforward enough. The following is an example, where I'll
grant the privilege to use 'kill' and 'shutdown' to Yurtle:


Script started on Mon Oct 25 20:56:10 1999
# id | awk '{ print $1 " " $2 }'
UID=0(root) GID=3(sys)
#
# /bin/adminrole -n SCRAM
# /bin/adminrole -a kill:/bin/kill:allprivs SCRAM
# /bin/adminrole -a shutdown:/sbin/shutdown:allprivs SCRAM
# /bin/adminuser -n -o SCRAM yurtle
#
# ^D

script done on Mon Oct 25 21:00:45 1999


That's all there is to it. Yurtle can kill and shutdown now,
as long as initprivs returns nothing and they type their command like:

/sbin/tfadmin shutdown -g0 -y -i0

=== cut here === 8< ===

Kudos to Matt for his work,
Roberto
--
---------------------------------------------------------------------
Roberto Zini email : r.z...@strhold.it
Technical Support Manager -- Strhold Evolution Division R.E. (ITALY)
---------------------------------------------------------------------
"Has anybody around here seen an aircraft carrier?"
(Pete "Maverick" Mitchell - Top Gun)

Peter Michel

unread,
Jul 25, 2001, 7:42:24 AM7/25/01
to
Hi,
we use an user "off" or "Aus", full created with password and and with
uid 0 (root) without a shell, just executing a c-script (OFF), placed
in /etc, with does a little checking (#-users active, db-aktive/in
use, and whatever you will) and iff OK: starts shutdown.
This way, we installed more useres, named Reboot, Help, all going to
the same script, interpreting it's name and do difference things as a
root account is needed. So Reboot, reboots hard without any checking
and Help sends sms to the admin.
Nice is, that you can give premisions to the jobs easy via the right
password for the wanted user.
Cheers Peter
0 new messages