CentOS - Feb 2018 - Allowing non-root users to reboot a workstation

I would like to be able to allow regular users that don't have admin
privileges to be able to reboot their workstation. (they're software
developers so rebooting their workstation doesn't affect anybody else)

I tried changing the ownership of /sbin/reboot and /sbin/shutdown to
root:users and permissions to 550, but that didn't work - it's still
asking
for root privileges.

Possibly the problem might be that there's centralized LDAP authentication,
not local, so the changes I made only apply to local accounts?

Any suggestions?

FW

Did you try adding

UserName ALL= NOPASSWD: /sbin/reboot

As the last line of their /etc/sudoers files?
(replacing UserName with their actual user name, of course.)

That should grant them root access to only the /sbin/reboot command (add
more commands using comma delimiting).

Then they just run
$ sudo reboot


If you want to require they enter their own password before rebooting, use
the line

UserName ALL=/sbin/reboot

Instead.

Use of sudo is recorded in /var/log/secure, if I recall correctly.

Personally, this is what I'd use sudo for.

You can configure sudo to allow only certain commands with or without a
password. Not a lot of detail, but you can either require or skip the
password. And, instead of individuals - you can use groups. If you look
through the soders file, you'll see how it's doen.

This very brief article goes into a limited how-to:

http://www.atrixnet.com/allow-an-unprivileged-user-to-run-a-certain-command-with-sudo/

On Fri, Feb 2, 2018 at 9:09 AM, Felipe Westfields <
felipe.westfields at gmail.com> wrote:
> I would like to be able to allow regular users that don't have admin
> privileges to be able to reboot their workstation. (they're software
> developers so rebooting their workstation doesn't affect anybody else)
>
> I tried changing the ownership of /sbin/reboot and /sbin/shutdown to
> root:users and permissions to 550, but that didn't work - it's
still asking
> for root privileges.
>
> Possibly the problem might be that there's centralized LDAP
authentication,
> not local, so the changes I made only apply to local accounts?
>
> Any suggestions?
>
> FW
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>


-- 
Natrona County Beekeepers <http://ncbees.org>
Casper Amateur Radio Club <http://casperarc.net>

By sending an email to or replying in any way to ANY of my addresses,
numbers, comments or messages, you are agreeing that:
1. I am, by definition, "the intended recipient" - in spite of and
regardless of your intent, real or imaginary.
2. If you need to know that you know who is receiving your communications
and must also be able to verify they were not tampered with in any way,
while en route as well as verify receipt (but not comprehension), you must
use PKI and have a verified Public Key published in an accessible location.
NOTE: if your PKI Public Key is not signed by anyone I recognize, it will
not be trusted. Unless I choose otherwise.
2. All information in any received communication is mine to do with as I
see fit. I will make such financial gain, profit, political mileage, social
satire, public value or jokes - as it lends itself and as I choose. In
particular, I may quote it on usenet, IRC, SMS and/or future SMTP
communications, regardless of SSL or TLS implementation, not inclusive.
3. I may take the contents of your messages as representing the views of
your company, country or agency. Particularly if you've used a TLD owned by
or under control of said entity.
4. This agreement - now that you've read this far - is now a contract and
absolutely overrides any disclaimer or statement of confidentiality that
may or may not be included, implied or missing in any of your messages.
Especially as such things are meaningless, pointless and carry no weight,
authority or validity, be they mass, legal or emotional, in spite of what
your cousin said.

On 02/02/18 10:09, Felipe Westfields wrote:
> I would like to be able to allow regular users that don't have admin
> privileges to be able to reboot their workstation. (they're software
> developers so rebooting their workstation doesn't affect anybody else)
> 
> I tried changing the ownership of /sbin/reboot and /sbin/shutdown to
> root:users and permissions to 550, but that didn't work - it's
still asking
> for root privileges.
> 
> Possibly the problem might be that there's centralized LDAP
authentication,
> not local, so the changes I made only apply to local accounts?
> 
> Any suggestions?
If they are local users (sitting in front of that computer), they will 
be able to use the commands

shutdown
reboot
poweroff

without any need of special privileges, which tells RedHat and CentOS 
apart from majority of Linuxes. This is incredibly logical (Thanks, 
RedHat!), as local user can just press power button, or yank AC cord.

To allow remote users reboot machine you can allow them execute some 
commands via sudo , like:

sudo reboot

Command sudo means Substitute User DO; when username of substitute user 
is not mentioned in command user "root: is used as substitute user, this 
is where misinterpreting the command as "super user do" originates,
and
the last is wrong. Do "man visudo", "man sudo", to learn
details.

Incidentally, rebooting machine is rather big deal, if that is used to 
resolve some trouble happening every so often, I would rather look into 
fixing the cause of that trouble.

Valeri
> 
> FW
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
> 
-- 
++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++

That seems to have worked on my own test account - I applied it to the user
having the issue and asked for his feedback when he gets a chance.

Thanks!

On Fri, Feb 2, 2018 at 11:40 AM, Darr247 <darr247 at gmail.com> wrote:
> Did you try adding
>
> UserName ALL= NOPASSWD: /sbin/reboot
>
> As the last line of their /etc/sudoers files?
> (replacing UserName with their actual user name, of course.)
>
> That should grant them root access to only the /sbin/reboot command (add
> more commands using comma delimiting).
>
> Then they just run
> $ sudo reboot
>
>
> If you want to require they enter their own password before rebooting, use
> the line
>
> UserName ALL=/sbin/reboot
>
> Instead.
>
> Use of sudo is recorded in /var/log/secure, if I recall correctly.
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>

Felipe Westfields wrote:
> I would like to be able to allow regular users that don't have admin
> privileges to be able to reboot their workstation. (they're software
> developers so rebooting their workstation doesn't affect anybody else)
>
> I tried changing the ownership of /sbin/reboot and /sbin/shutdown to
> root:users and permissions to 550, but that didn't work - it's
still
> asking
> for root privileges.
>
> Possibly the problem might be that there's centralized LDAP
> authentication, not local, so the changes I made only apply to
> local accounts?
>
> Any suggestions?
Um, I take it that a three-finger kill doesn't work?

   mark

On 2 February 2018 at 18:13,  <m.roth at 5-cent.us>
wrote:
> Felipe Westfields wrote:
>> I would like to be able to allow regular users that don't have
admin
>> privileges to be able to reboot their workstation. (they're
software
>> developers so rebooting their workstation doesn't affect anybody
else)
>>
>> I tried changing the ownership of /sbin/reboot and /sbin/shutdown to
>> root:users and permissions to 550, but that didn't work - it's
still
>> asking
>> for root privileges.
>>
>> Possibly the problem might be that there's centralized LDAP
>> authentication, not local, so the changes I made only apply to
>> local accounts?
>>
>> Any suggestions?
>
> Um, I take it that a three-finger kill doesn't work?
>
>    mark
>
You;ll want to look at polkit configuration as that's what is used by
systemd, and by gnome as a result, to determine what actions are
permitted

https://www.hogarthuk.com/?q=node/10