Hi list, I've installed C 7.1.1503 and I've noticed that simple user can run from bash shutdown -h now/reboot without getting special permission (sudo, su). The machine is a VM without GUI (tested also on physical machine). From reddit I've got a suggestion: removing/comment out "-session optional pam_systemd.so" in /etc/pam.d/system-auth the problem is solved. This is a bug? If not, why use this policy? There are security implication? Thanks in advance.
On Thu, 22 Oct 2015, Alessandro Baggi wrote:> Hi list, > I've installed C 7.1.1503 and I've noticed that simple user can run from bash > shutdown -h now/reboot without getting special permission (sudo, su). The > machine is a VM without GUI (tested also on physical machine). > From reddit I've got a suggestion: removing/comment out "-session optional > pam_systemd.so" in /etc/pam.d/system-auth the problem is solved. > This is a bug?No, that's the wrong way to solve it.> If not, why use this policy? There are security implication?Permissions here are handled by policykit AFAIK. /usr/share/polkit-1/actions/org.freedesktop.login1.policy likely to be of particular interest? jh
Il 22/10/2015 10:49, John Hodrien ha scritto:> On Thu, 22 Oct 2015, Alessandro Baggi wrote: > >> Hi list, >> I've installed C 7.1.1503 and I've noticed that simple user can run >> from bash shutdown -h now/reboot without getting special permission >> (sudo, su). The machine is a VM without GUI (tested also on physical >> machine). >> From reddit I've got a suggestion: removing/comment out "-session >> optional pam_systemd.so" in /etc/pam.d/system-auth the problem is solved. >> This is a bug? > > No, that's the wrong way to solve it. > >> If not, why use this policy? There are security implication? > > Permissions here are handled by policykit AFAIK. > > /usr/share/polkit-1/actions/org.freedesktop.login1.policy likely to be of > particular interest? > > jh > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >Hi J, thank you for the suggestion. Why team make this possible? What is the purpose?