The shutdown
binary will only work for the root user. The typical approach to this is to set up sudo rules to allow the user to execute shutdown as root. Assuming the user doesn't already have full sudo permissions
(the first user on an Ubuntu desktop system does, for example) you might add the following line to /etc/sudoers (using the visudo
utility, for safety):
joe hostname=(root) /sbin/shutdown -h now
If you want them to be able to shut down without being prompted for their password, then add the NOPASSWD option, like this:
joe hostname=(root) NOPASSWD: /sbin/shutdown -h now
You can modify the way they can run shutdown by using wildcards or explicit declarations. For example shutdown -h now
allows an immediate halt of the system, it will not reboot. You could allow -r
instead to reboot the system.
After you configure sudoers, joe can run the following command to reboot the system:
sudo /sbin/shutdown -h now
As joe, you can run the following command to see what commands you have access to run using sudo
:
sudo -l
This would be security by obscurity. There is no real benefit by preventing normal users from reading /etc/crontab
. Even if a user can't read the file, it's still possible to gather the executed command just by regularly capturing the process list with ps
or by reading /proc
.
There should be no need at all to hide some administrative commands except when you put credentials in the command-line. But you should never put credentials in the command line anyway as a normal user can read the command-line, so no real benefit.
There is a mount option/kernel patch for procfs preventing PID leakage as well as some kernel modules like grsec
which prevent PID leaks.
The benefit of having the file system readable is that you can have a look/debug the system as a non root user. You don't have to switch to the root user just to check the system crontabs.
Best Answer
CentOS/RHEL/Fedora
You can disable access to these commands by removing their entries in the
/etc/security/console.apps/*
:Above was found here: 27.2. Disabling Console Program Access - CentOS Deployment Guide
Hack method
I think you can achieve this by doing the following. In the directory
/lib/upstart
, are the following commands:chmod 700 the reboot executable: