"Hardening" halt process

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

"Hardening" halt process

Armando-17
 Good evening everyone,

I'm more or less a newbie in the OpenBSD world and I'm trying to prepare
three virtual OpenBSD in my small home-network.

The question I'd like to ask is simple: is it possible to issue the halt
command using an unprivileged user? This because I have to set up a
script for KVM to shutdown properly all the OpenBSD guests and I'd like
to avoid an automatic ssh connection from the host to the gests using
the root user.

I thank you in advanced for your really apreciated help.

0x412E

Reply | Threaded
Open this post in threaded view
|

Re: "Hardening" halt process

Sebastian Reitenbach
Armando wrote:

>  Good evening everyone,
>
> I'm more or less a newbie in the OpenBSD world and I'm trying to prepare
> three virtual OpenBSD in my small home-network.
>
> The question I'd like to ask is simple: is it possible to issue the halt
> command using an unprivileged user? This because I have to set up a
> script for KVM to shutdown properly all the OpenBSD guests and I'd like
> to avoid an automatic ssh connection from the host to the gests using
> the root user.
>
> I thank you in advanced for your really apreciated help.
>  
How about a halt via sudo?

cheers,
Sebastian

Reply | Threaded
Open this post in threaded view
|

Re: "Hardening" halt process

Floor Terra
In reply to this post by Armando-17
On Wed, Jul 28, 2010 at 12:24 AM, Armando <[hidden email]> wrote:
> The question I'd like to ask is simple: is it possible to issue the halt
> command using an unprivileged user?

Configure sudo to allow the halt command without password.

$ sudo halt



--
Floor Terra <[hidden email]>
www: http://brobding.mine.nu/

Reply | Threaded
Open this post in threaded view
|

Re: "Hardening" halt process

Armando-17
In reply to this post by Armando-17
> Yes, look into sudo.  You'll basically need something like that in
> /etc/sudoers:
>
> user        ALL=(ALL) NOPASSWD: /sbin/halt
>
> Then user "user" can run "sudo halt".
ok fair enough! :)

thanks again!
0x412E

Reply | Threaded
Open this post in threaded view
|

Re: "Hardening" halt process

Armando-17
In reply to this post by Armando-17
 On 07/28/2010 12:34 AM, Carson Harding wrote:
> Put the user in the operators group and they can run the shutdown
> command. So "shutdown -hp now" pretty much does a "halt".

just to get the point: is this more "permissive" then the proposed
solution of the sudo without password? to be more precise: does this
permit also the user to execute other privileged commands?

thnx,
0x412E

Reply | Threaded
Open this post in threaded view
|

Re: "Hardening" halt process

Janusz Gumkowski
On Wed, Jul 28, 2010 at 12:40:38AM +0200, Armando wrote:
>  On 07/28/2010 12:34 AM, Carson Harding wrote:
> > Put the user in the operators group and they can run the shutdown
> > command. So "shutdown -hp now" pretty much does a "halt".
>
> just to get the point: is this more "permissive" then the proposed
> solution of the sudo without password? to be more precise: does this
> permit also the user to execute other privileged commands?
>

Yes.
The operator group is allowed to read whole disk devices and partitions
(for doing backups with dump).

Just go with sudo.


--
Janusz Gumkowski
http://www.am.torun.pl/~ja