[gentoo-user] How to poweroff the system from user?

[gentoo-user] How to poweroff the system from user?

[German]

If I run poweroff from root, the system shuts down, however when I run poweroff from user -- command not found. How to shut down the system from user? Thanks

-- 
German <gentgerman@gmail.com>

Re: [gentoo-user] How to poweroff the system from user?

[Alexander Kapshuk]

[-- Attachment #1: Type: text/plain, Size: 607 bytes --]

On Sat, Mar 21, 2015 at 9:26 PM, German <gentgerman@gmail.com> wrote:

> If I run poweroff from root, the system shuts down, however when I run
> poweroff from user -- command not found. How to shut down the system from
> user? Thanks
>
> --
> German <gentgerman@gmail.com>
>
>
poweroff(1) says:
If  you're  not  the superuser, you will get the message `must be supe‐
       ruser'.

Either run poweroff as the superuser, or if you're running Gnome, KDE,
XFCE, etc., you may use the shutdown option available in those desktop
environments.

Others might suggest other ways of doing it.

[-- Attachment #2: Type: text/html, Size: 1176 bytes --]

Re: [gentoo-user] How to poweroff the system from user?

[Alexander Kapshuk]

[-- Attachment #1: Type: text/plain, Size: 767 bytes --]

On Sat, Mar 21, 2015 at 9:34 PM, Alexander Kapshuk <
alexander.kapshuk@gmail.com> wrote:

> On Sat, Mar 21, 2015 at 9:26 PM, German <gentgerman@gmail.com> wrote:
>
>> If I run poweroff from root, the system shuts down, however when I run
>> poweroff from user -- command not found. How to shut down the system from
>> user? Thanks
>>
>> --
>> German <gentgerman@gmail.com>
>>
>>
> poweroff(1) says:
> If  you're  not  the superuser, you will get the message `must be supe‐
>        ruser'.
>
> Either run poweroff as the superuser, or if you're running Gnome, KDE,
> XFCE, etc., you may use the shutdown option available in those desktop
> environments.
>
> Others might suggest other ways of doing it.
>

It's actually poweroff(8). Sorry.

[-- Attachment #2: Type: text/html, Size: 1650 bytes --]

Re: [gentoo-user] How to poweroff the system from user?

[Fernando Rodriguez]

On Saturday, March 21, 2015 9:35:44 PM Alexander Kapshuk wrote:
> On Sat, Mar 21, 2015 at 9:34 PM, Alexander Kapshuk <
> alexander.kapshuk@gmail.com> wrote:
> 
> > On Sat, Mar 21, 2015 at 9:26 PM, German <gentgerman@gmail.com> wrote:
> >
> >> If I run poweroff from root, the system shuts down, however when I run
> >> poweroff from user -- command not found. How to shut down the system from
> >> user? Thanks
> >>
> >> --
> >> German <gentgerman@gmail.com>
> >>
> >>
> > poweroff(1) says:
> > If  you're  not  the superuser, you will get the message `must be supe‐
> >        ruser'.
> >
> > Either run poweroff as the superuser, or if you're running Gnome, KDE,
> > XFCE, etc., you may use the shutdown option available in those desktop
> > environments.
> >
> > Others might suggest other ways of doing it.
> >
> 
> It's actually poweroff(8). Sorry.

That's actually sysvinit poweroff...systemd's is different.
-- 
Fernando Rodriguez

Re: [gentoo-user] How to poweroff the system from user?

[Emanuele Rusconi]

[-- Attachment #1: Type: text/plain, Size: 268 bytes --]

Ctrl-Alt-Del can be set to do what you want.

I have this in my /etc/inittab:

    ca:12345:ctrlaltdel:/sbin/shutdown -P now

This way Ctrl-Alt-Del calls power off instead of reboot.
So to shutdown I just exit from Openbox and press Ctrl-Alt-Del.

-- Emanuele Rusconi

[-- Attachment #2: Type: text/html, Size: 470 bytes --]

Re: [gentoo-user] How to poweroff the system from user?

[Fernando Rodriguez]

[-- Attachment #1: Type: text/plain, Size: 533 bytes --]

On Saturday, March 21, 2015 11:52:45 PM Emanuele Rusconi wrote:
> Ctrl-Alt-Del can be set to do what you want.
> 
> I have this in my /etc/inittab:
> 
>     ca:12345:ctrlaltdel:/sbin/shutdown -P now
> 
> This way Ctrl-Alt-Del calls power off instead of reboot.
> So to shutdown I just exit from Openbox and press Ctrl-Alt-Del.
> 
> -- Emanuele Rusconi

Also sysvinit specific.
On systemd you need to copy /usr/lib/systemd/system/ctrl-alt-del.target to 
/etc/systemd/system and edit that file.

-- 
Fernando Rodriguez

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: [gentoo-user] How to poweroff the system from user?

[German]

On Sat, 21 Mar 2015 21:34:51 +0200
Alexander Kapshuk <alexander.kapshuk@gmail.com> wrote:

> On Sat, Mar 21, 2015 at 9:26 PM, German <gentgerman@gmail.com> wrote:
> 
> > If I run poweroff from root, the system shuts down, however when I run
> > poweroff from user -- command not found. How to shut down the system from
> > user? Thanks
> >
> > --
> > German <gentgerman@gmail.com>
> >
> >
> poweroff(1) says:
> If  you're  not  the superuser, you will get the message `must be supe‐
>        ruser'.
> 
> Either run poweroff as the superuser, or if you're running Gnome, KDE,
> XFCE, etc., you may use the shutdown option available in those desktop
> environments.

No, I am trying to shutdown from a console
> 
> Others might suggest other ways of doing it.


-- 
German <gentgerman@gmail.com>

Re: [gentoo-user] How to poweroff the system from user?

[Rich Freeman]

On Sat, Mar 21, 2015 at 3:39 PM, German <gentgerman@gmail.com> wrote:
>
> No, I am trying to shutdown from a console

Well, the old answer would be that you need to use sudo to run it, as
shutting down is a privileged operation.

I suspect that the new answer is that with appropriate
policykit/consolekit/etc settings you can probably allow somebody
sitting at a physical console to shut down the system, or any
logged-in user if you prefer.  However, I haven't actually set that up
myself.

-- 
Rich

Re: [gentoo-user] How to poweroff the system from user?

[Canek Peláez Valdés]

[-- Attachment #1: Type: text/plain, Size: 1515 bytes --]

On Sat, Mar 21, 2015 at 1:47 PM, Rich Freeman <rich0@gentoo.org> wrote:
>
> On Sat, Mar 21, 2015 at 3:39 PM, German <gentgerman@gmail.com> wrote:
> >
> > No, I am trying to shutdown from a console
>
> Well, the old answer would be that you need to use sudo to run it, as
> shutting down is a privileged operation.
>
> I suspect that the new answer is that with appropriate
> policykit/consolekit/etc settings you can probably allow somebody
> sitting at a physical console to shut down the system, or any
> logged-in user if you prefer.  However, I haven't actually set that up
> myself.

logind does that for you automagically™. The first seat has the rights to
poweroff or reboot the machine, and it can differentiate between local and
remote logins. You can check if your user session has the permissions to
poweroff/reboot via dbus:

$ gdbus call --system --dest org.freedesktop.login1 --object-path
/org/freedesktop/login1 --method org.freedesktop.login1.Manager.CanPowerOff
('yes',)

$ gdbus call --system --dest org.freedesktop.login1 --object-path
/org/freedesktop/login1 --method org.freedesktop.login1.Manager.CanReboot
('yes',)

But you need systemd to use logind1. There has been some attempts to
reimplement logind outside systemd, but I'm not sure how advanced they are.

This kind of problems were one of the reasons for creating logind.

Regards.
--
Canek Peláez Valdés
Profesor de asignatura, Facultad de Ciencias
Universidad Nacional Autónoma de México

[-- Attachment #2: Type: text/html, Size: 1892 bytes --]

Re: [gentoo-user] How to poweroff the system from user?

[microcai]

on Saturday 21 March 2015 13:58:45，Canek Peláez Valdés wrote：
> On Sat, Mar 21, 2015 at 1:47 PM, Rich Freeman <rich0@gentoo.org> wrote:
> > On Sat, Mar 21, 2015 at 3:39 PM, German <gentgerman@gmail.com> wrote:
> > > No, I am trying to shutdown from a console
> > 
> > Well, the old answer would be that you need to use sudo to run it, as
> > shutting down is a privileged operation.
> > 
> > I suspect that the new answer is that with appropriate
> > policykit/consolekit/etc settings you can probably allow somebody
> > sitting at a physical console to shut down the system, or any
> > logged-in user if you prefer.  However, I haven't actually set that up
> > myself.
> 
> logind does that for you automagically™. The first seat has the rights to
> poweroff or reboot the machine, and it can differentiate between local and
> remote logins. You can check if your user session has the permissions to
> poweroff/reboot via dbus:
> 
> $ gdbus call --system --dest org.freedesktop.login1 --object-path
> /org/freedesktop/login1 --method org.freedesktop.login1.Manager.CanPowerOff
> ('yes',)
> 
> $ gdbus call --system --dest org.freedesktop.login1 --object-path
> /org/freedesktop/login1 --method org.freedesktop.login1.Manager.CanReboot
> ('yes',)
> 
> But you need systemd to use logind1. There has been some attempts to
> reimplement logind outside systemd, but I'm not sure how advanced they are.
> 
> This kind of problems were one of the reasons for creating logind.
> 

and dump people keep talking nonsencely that sysvinit is enough while it 
cannot even handle reboot for normal user. sad.


> Regards.
> --
> Canek Peláez Valdés
> Profesor de asignatura, Facultad de Ciencias
> Universidad Nacional Autónoma de México

Re: [gentoo-user] How to poweroff the system from user?

[Volker Armin Hemmann]

Am 26.03.2015 um 01:46 schrieb microcai:
> on Saturday 21 March 2015 13:58:45，Canek Peláez Valdés wrote：
>> On Sat, Mar 21, 2015 at 1:47 PM, Rich Freeman <rich0@gentoo.org> wrote:
>>> On Sat, Mar 21, 2015 at 3:39 PM, German <gentgerman@gmail.com> wrote:
>>>> No, I am trying to shutdown from a console
>>> Well, the old answer would be that you need to use sudo to run it, as
>>> shutting down is a privileged operation.
>>>
>>> I suspect that the new answer is that with appropriate
>>> policykit/consolekit/etc settings you can probably allow somebody
>>> sitting at a physical console to shut down the system, or any
>>> logged-in user if you prefer.  However, I haven't actually set that up
>>> myself.
>> logind does that for you automagically™. The first seat has the rights to
>> poweroff or reboot the machine, and it can differentiate between local and
>> remote logins. You can check if your user session has the permissions to
>> poweroff/reboot via dbus:
>>
>> $ gdbus call --system --dest org.freedesktop.login1 --object-path
>> /org/freedesktop/login1 --method org.freedesktop.login1.Manager.CanPowerOff
>> ('yes',)
>>
>> $ gdbus call --system --dest org.freedesktop.login1 --object-path
>> /org/freedesktop/login1 --method org.freedesktop.login1.Manager.CanReboot
>> ('yes',)
>>
>> But you need systemd to use logind1. There has been some attempts to
>> reimplement logind outside systemd, but I'm not sure how advanced they are.
>>
>> This kind of problems were one of the reasons for creating logind.
>>
> and dump people keep talking nonsencely that sysvinit is enough while it 
> cannot even handle reboot for normal user. sad.
>
>
>

it can. Did for decaded.

Dumb systemd fanbois spouting their lies everywhere. Sad.

Re: [gentoo-user] How to poweroff the system from user?

[Jorge Almeida]

On Sun, Mar 29, 2015 at 12:55 PM, Volker Armin Hemmann
<volkerarmin@googlemail.com> wrote:


>> and dump people keep talking nonsencely that sysvinit is enough while it
>> cannot even handle reboot for normal user. sad.
>>
>>
>>
>
> it can. Did for decaded.
>
> Dumb systemd fanbois spouting their lies everywhere. Sad.
>

"Sad" doesn't even begin to describe the behaviour of Mr. "can learn
anything I want very very fast", the famous "expert of all kinds".
What beats me is the apparent tolerance of this list towards this kind
of attitude. In case someone forgot, this microcai critter is the same
self-styled genious who made his Grand Entrance to this list on
11/11/12 saying "byebye  haters .  Comunitiy doesn't need people like
you"

Regards,

Jorge Almeida

Re: [gentoo-user] How to poweroff the system from user?

[Rich Freeman]

On Sun, Mar 29, 2015 at 8:33 AM, Jorge Almeida <jjalmeida@gmail.com> wrote:
> On Sun, Mar 29, 2015 at 12:55 PM, Volker Armin Hemmann
> <volkerarmin@googlemail.com> wrote:
>>> and dump people keep talking nonsencely that sysvinit is enough while it
>>> cannot even handle reboot for normal user. sad.
>>
>> it can. Did for decaded.
>>
>> Dumb systemd fanbois spouting their lies everywhere. Sad.
>>
>
> "Sad" doesn't even begin to describe the behaviour of Mr. "can learn
> anything I want very very fast", the famous "expert of all kinds".
> What beats me is the apparent tolerance of this list towards this kind
> of attitude. In case someone forgot, this microcai critter is the same
> self-styled genious who made his Grand Entrance to this list on
> 11/11/12 saying "byebye  haters .  Comunitiy doesn't need people like
> you"

Do we really need a 15-post flamewar about whose fans are more childish?

If you have a problem with somebody, take it to comrel.  If you have
something useful to offer, offer it.  Nothing above has added to the
conversation at all.

-- 
Rich

Re: [gentoo-user] How to poweroff the system from user?

[German]

On Sat, 21 Mar 2015 15:47:16 -0400
Rich Freeman <rich0@gentoo.org> wrote:

> On Sat, Mar 21, 2015 at 3:39 PM, German <gentgerman@gmail.com> wrote:
> >
> > No, I am trying to shutdown from a console
> 
> Well, the old answer would be that you need to use sudo to run it, as
> shutting down is a privileged operation.
> 
> I suspect that the new answer is that with appropriate
> policykit/consolekit/etc settings you can probably allow somebody
> sitting at a physical console to shut down the system, or any
> logged-in user if you prefer.  However, I haven't actually set that up
> myself.

Well, I am the only one sitting at the console :) Are there any key combination which allows that? I can reboot even if I am a user with Ctrl+Alt+Delete
> 
> -- 
> Rich
> 


-- 
German <gentgerman@gmail.com>

Re: [gentoo-user] How to poweroff the system from user?

[Jc García]

2015-03-21 14:01 GMT-06:00 German <gentgerman@gmail.com>:
> On Sat, 21 Mar 2015 15:47:16 -0400
> Rich Freeman <rich0@gentoo.org> wrote:
>
>> On Sat, Mar 21, 2015 at 3:39 PM, German <gentgerman@gmail.com> wrote:
>> >
>> > No, I am trying to shutdown from a console
>>
>> Well, the old answer would be that you need to use sudo to run it, as
>> shutting down is a privileged operation.
>>
>> I suspect that the new answer is that with appropriate
>> policykit/consolekit/etc settings you can probably allow somebody
>> sitting at a physical console to shut down the system, or any
>> logged-in user if you prefer.  However, I haven't actually set that up
>> myself.
>
> Well, I am the only one sitting at the console :) Are there any key combination which allows that? I can reboot even if I am a user with Ctrl+Alt+Delete
>>

Just use sudo to allow your user to shutdwon without
password(suders(5) manpage is your friend), and put an  alias in your
bashrc:
alias poweroff="sudo /sbin/poweroff"

Re: [gentoo-user] How to poweroff the system from user?

[Fernando Rodriguez]

On Saturday, March 21, 2015 3:26:56 PM German wrote:
> If I run poweroff from root, the system shuts down, however when I run 
poweroff from user -- command not found. How to shut down the system from user? 
Thanks
> 
> 

The command not found part is because /sbin and /usr/sbin and on gentoo it's 
not on your PATH env var by default.

I think it's supposed to be a security measure but really it provides no 
security whatsoever so I always add it to my path. After that you'll be able 
to shutdown if there's no other active sessions, otherwise you should be 
prompted for password.

-- 
Fernando Rodriguez

Re: [gentoo-user] How to poweroff the system from user?

[Philip Webb]

150321 German wrote:
> If I run poweroff from root, the system shuts down.
> When I run poweroff from user -- command not found.
> How to shut down the system from user ?

I'ld say "Don't" : it's contrary to the principles of Unix,
which separate the roles of sysadmin (root) from those of ordinary users.

To shut down, I first exit Fluxbox via its menu,
then 'su' + root password, then alias 'down' = 'shutdown -h now'.
That observes the proper roles + ceremonies (smile).

-- 
========================,,============================================
SUPPORT     ___________//___,   Philip Webb
ELECTRIC   /] [] [] [] [] []|   Cities Centre, University of Toronto
TRANSIT    `-O----------O---'   purslowatchassdotutorontodotca

Re: [gentoo-user] How to poweroff the system from user?

[Rich Freeman]

On Sat, Mar 21, 2015 at 4:32 PM, Philip Webb <purslow@ca.inter.net> wrote:
>
> I'ld say "Don't" : it's contrary to the principles of Unix,
> which separate the roles of sysadmin (root) from those of ordinary users.
>

There are a couple of schools of thought there.  One that differs from
what you suggested is that root isn't really a pure role - it is a uid
you can log in as (which mostly makes the actions you take as root
anonymous in a multi-admin environment).  If you're into role-based
access control then you really don't want people just switching to
root all the time - you want to define roles and their specific
requirements, and then assign those roles to users.  Sudo is a simple
tool for doing this, but stuff like consolekit/logind/policykit and so
on are about giving more granular access to users.  Likewise posix
capabilities are all about making what traditionally is root much more
granular.

But, yes, the simple answer is to just log in as root to power off the
system.  That will almost certainly work for at least the next 20
years.  Everything else is just added capabilities.

-- 
Rich

Re: [gentoo-user] How to poweroff the system from user?

[German]

On Sat, 21 Mar 2015 16:32:25 -0400
Philip Webb <purslow@ca.inter.net> wrote:

> 150321 German wrote:
> > If I run poweroff from root, the system shuts down.
> > When I run poweroff from user -- command not found.
> > How to shut down the system from user ?
> 
> I'ld say "Don't" : it's contrary to the principles of Unix,
> which separate the roles of sysadmin (root) from those of ordinary users.
> 
> To shut down, I first exit Fluxbox via its menu,
> then 'su' + root password, then alias 'down' = 'shutdown -h now'.
> That observes the proper roles + ceremonies (smile).

Interesting. But as I said ealier, I can reboot the system when I am a user by Ctrl+Alt+Delete. The user can reboot the system, but can't shut down? Strange
> 
> -- 
> ========================,,============================================
> SUPPORT     ___________//___,   Philip Webb
> ELECTRIC   /] [] [] [] [] []|   Cities Centre, University of Toronto
> TRANSIT    `-O----------O---'   purslowatchassdotutorontodotca
> 
> 


-- 
German <gentgerman@gmail.com>

Re: [gentoo-user] How to poweroff the system from user?

[Jc García]

> Interesting. But as I said ealier, I can reboot the system when I am a user by Ctrl+Alt+Delete. The user can reboot the system, but can't shut down? Strange

It's not strange,  `man 2 reboot`. It's a defined behavior.

Re: [gentoo-user] How to poweroff the system from user?

[Peter Humphrey]

On Saturday 21 March 2015 16:20:17 Jc García wrote:
> > Interesting. But as I said ealier, I can reboot the system when I am a
> > user by Ctrl+Alt+Delete. The user can reboot the system, but can't shut
> > down? Strange
> It's not strange,  `man 2 reboot`. It's a defined behavior.

I'm with German here. Being designed that way doesn't stop it being strange.

Consider: I'm an ordinary user sitting at a terminal. I'm not allowed to 
halt the machine, but I am allowed to reboot it into perhaps some quite 
other configuration. Or I can keep rebooting it over and again, effectively 
preventing the machine from doing its job. How does that make sense?

-- 
Rgds
Peter.

[gentoo-user] Re: How to poweroff the system from user?

[Nikos Chantziaras]

On 22/03/15 12:30, Peter Humphrey wrote:
> On Saturday 21 March 2015 16:20:17 Jc García wrote:
>>> Interesting. But as I said ealier, I can reboot the system when I am a
>>> user by Ctrl+Alt+Delete. The user can reboot the system, but can't shut
>>> down? Strange
>> It's not strange,  `man 2 reboot`. It's a defined behavior.
>
> I'm with German here. Being designed that way doesn't stop it being strange.
>
> Consider: I'm an ordinary user sitting at a terminal. I'm not allowed to
> halt the machine, but I am allowed to reboot it into perhaps some quite
> other configuration. Or I can keep rebooting it over and again, effectively
> preventing the machine from doing its job. How does that make sense?

The thinking is that you can unplug the machine, or press the hardware 
reset or power button, or flip the PSU switch...

Preventing a ctrl+alt+del reboot does not add anything to security. 
Security doesn't really apply to users with physical access to the machine.

However, this is just a default. You can easily disable reboot on 
ctrl+alt+del by editing /etc/inittab and commenting-out this line:

   ca:12345:ctrlaltdel:/sbin/shutdown -r now

Note though, that is someone wants to reboot, and ctrl+alt+del doesn't 
work, pressing the reset button is far worse, since there's no clean 
shutdown performed (unmounting filesystems after flushing caches, etc.) 
Because of that, the default of allowing ctrl+alt+del for local users 
makes more sense than disabling it.

Re: [gentoo-user] Re: How to poweroff the system from user?

[Peter Humphrey]

On Sunday 22 March 2015 13:04:44 Nikos Chantziaras wrote:
> On 22/03/15 12:30, Peter Humphrey wrote:
> > On Saturday 21 March 2015 16:20:17 Jc García wrote:
> >>> Interesting. But as I said ealier, I can reboot the system when I am a
> >>> user by Ctrl+Alt+Delete. The user can reboot the system, but can't
> >>> shut
> >>> down? Strange
> >> 
> >> It's not strange,  `man 2 reboot`. It's a defined behavior.
> > 
> > I'm with German here. Being designed that way doesn't stop it being
> > strange.
> > 
> > Consider: I'm an ordinary user sitting at a terminal. I'm not allowed to
> > halt the machine, but I am allowed to reboot it into perhaps some quite
> > other configuration. Or I can keep rebooting it over and again,
> > effectively preventing the machine from doing its job. How does that
> > make sense?
> The thinking is that you can unplug the machine, or press the hardware
> reset or power button, or flip the PSU switch...
> 
> Preventing a ctrl+alt+del reboot does not add anything to security.
> Security doesn't really apply to users with physical access to the
> machine.

Indeed, as witness many successful hijacks of supposedly secure systems.

> However, this is just a default. You can easily disable reboot on
> ctrl+alt+del by editing /etc/inittab and commenting-out this line:
> 
>    ca:12345:ctrlaltdel:/sbin/shutdown -r now

All good sense.

> Note though, that is someone wants to reboot, and ctrl+alt+del doesn't
> work, pressing the reset button is far worse, since there's no clean
> shutdown performed (unmounting filesystems after flushing caches, etc.)
> Because of that, the default of allowing ctrl+alt+del for local users
> makes more sense than disabling it.

And there's no arguing with that!  :_)

-- 
Rgds
Peter.

Re: [gentoo-user] Re: How to poweroff the system from user?

[Philip Webb]

150322 Peter Humphrey wrote:
> On Sunday 22 March 2015 13:04:44 Nikos Chantziaras wrote:
>>> I can reboot the system when I am a user by Ctrl+Alt+Delete.
>>> The user can reboot the system, but can't shut down ?  Strange
>> The thinking is that you can unplug the machine
>> or press the hardware reset or power button or flip the PSU switch ...
>> Preventing a ctrl+alt+del reboot does not add anything to security.
>> Security doesn't apply to users with physical access to the machine.
>> However, this is just a default. You can easily disable reboot
>> on ctrl+alt+del by editing /etc/inittab and commenting-out this line:
>>   ca:12345:ctrlaltdel:/sbin/shutdown -r now

Testing my single-user box with the above line in  inittab ,
I find that if I enter 'A-^Del' , I exit X to the raw terminal ;
another 'A-^Del' then reboots the box.  If I enter 'shutdown -r now' as user,
I get "shutdown: you must be root to do that!".  'cd /sbin ; ls -l shutdown'
shows '-rwxr-xr-x 1 root root 23192 May 17 2014 shutdown',
so that behaviour arises from the shutdown script, not the permissions.

The 1st effect is explained in  ~/.fluxbox/keys  by
  # exit fluxbox
  Control Mod1 Delete :Exit

However, the 2nd effect is not explained so easily :
'A-^Del' reboots when entered at a raw terminal,
but 'shutdown -r now' does not, yet the former is defined as the latter
by the line above in my  /etc/inittab .

The cause seems to be that 'A-^Del' is intercepted by 'init' (Process 1),
which is owned by root, but 'shutdown -r now' is heard by Process 910
-- 'bash' running in the raw terminal, which was started by 'init' -- ,
which is owned by my user.

So the behaviour is explained, but following my earlier msg,
which advised to follow proper Unix principles,
I should comment the 'A-^Del' line in  inittab :
if the raw terminal can't react to 'su', it won't react to 'A-^Del' either,
so there's no justification in terms of escaping from an emergency.

>> pressing the reset button is far worse, since there's no clean shutdown,
>> unmounting filesystems after flushing caches, etc.

Yes : that's forced only when the keyboard ceases to respond.

>> Because of that, the default of allowing ctrl+alt+del for local users
>> makes more sense than disabling it.

That doesn't follow : if you have multiple users,
you don't want some rogue user rebooting randomly ;
it makes sense only as a convenience on a single-user system.
It seems to be the default behaviour of 'inittab'
-- there no comment saying I set it myself, which I would have added -- ,
which is not appropriate for Gentoo systems in general,
some of which are undoubtedly multi-user.

-- 
========================,,============================================
SUPPORT     ___________//___,   Philip Webb
ELECTRIC   /] [] [] [] [] []|   Cities Centre, University of Toronto
TRANSIT    `-O----------O---'   purslowatchassdotutorontodotca

[gentoo-user] Re: How to poweroff the system from user?

[Nikos Chantziaras]

On 22/03/15 17:58, Philip Webb wrote:
>>> Because of that, the default of allowing ctrl+alt+del for local users
>>> makes more sense than disabling it.
>
> That doesn't follow : if you have multiple users,
> you don't want some rogue user rebooting randomly

You can't stop a local user from doing that. As mentioned, the reset 
button works just fine. You really do want those users to reboot the 
system properly rather than pressing reset...

Environments where the machine is locked away with only the keyboard 
being accessible are far less common than people sitting in front of the 
actual machine.

Re: [gentoo-user] Re: How to poweroff the system from user?

[Philip Webb]

150322 Nikos Chantziaras wrote:
> On 22/03/15 17:58, Philip Webb wrote:
>> If you have multiple users,
>> you don't want some rogue user rebooting randomly
> You can't stop a local user from doing that.
> As mentioned, the reset button works just fine.  You really do want
> those users to reboot the system properly rather than pressing reset.
> Environments where the machine is locked away
> with only the keyboard being accessible are far less common
> than people sitting in front of the actual machine.

We're picturing different set-ups : I'm thinking of a campus system,
where the machine is in a locked room accessible to the sysadmin (root)
& users log in somewhere else via machines which act as terminals ;
you are perhaps refering to a family or small-office machine,
where there are no other means of access, but users log in separately.
You are correct in the latter case.

-- 
========================,,============================================
SUPPORT     ___________//___,   Philip Webb
ELECTRIC   /] [] [] [] [] []|   Cities Centre, University of Toronto
TRANSIT    `-O----------O---'   purslowatchassdotutorontodotca

[gentoo-user] Re: How to poweroff the system from user?

[Nikos Chantziaras]

On 22/03/15 22:12, Philip Webb wrote:
> 150322 Nikos Chantziaras wrote:
>> On 22/03/15 17:58, Philip Webb wrote:
>>> If you have multiple users,
>>> you don't want some rogue user rebooting randomly
>> You can't stop a local user from doing that.
>> As mentioned, the reset button works just fine.  You really do want
>> those users to reboot the system properly rather than pressing reset.
>> Environments where the machine is locked away
>> with only the keyboard being accessible are far less common
>> than people sitting in front of the actual machine.
>
> We're picturing different set-ups : I'm thinking of a campus system,
> where the machine is in a locked room accessible to the sysadmin (root)
> & users log in somewhere else via machines which act as terminals ;
> you are perhaps refering to a family or small-office machine,
> where there are no other means of access, but users log in separately.
> You are correct in the latter case.

Well, remote logins can't reboot with ctrl+alt+del. That's reserved only 
for the users using the actual console. Meaning the keyboard hooked up 
to the machine with the PS/2 or USB cable.

SSH login or thin clients can't reboot. If you press ctrl+alt+del on the 
terminal machine, that's only going to reboot the terminal machine. We 
had such a setup using Sun Rays in the past. Non-console logins are 
getting the full security treatment.

Re: [gentoo-user] Re: How to poweroff the system from user?

[Matti Nykyri]

> On Mar 22, 2015, at 17:58, Philip Webb <purslow@ca.inter.net> wrote:
> 
> 150322 Peter Humphrey wrote:
>> On Sunday 22 March 2015 13:04:44 Nikos Chantziaras wrote:
>>>> I can reboot the system when I am a user by Ctrl+Alt+Delete.
>>>> The user can reboot the system, but can't shut down ?  Strange
>>> The thinking is that you can unplug the machine
>>> or press the hardware reset or power button or flip the PSU switch ...
>>> Preventing a ctrl+alt+del reboot does not add anything to security.
>>> Security doesn't apply to users with physical access to the machine.
>>> However, this is just a default. You can easily disable reboot
>>> on ctrl+alt+del by editing /etc/inittab and commenting-out this line:
>>> ca:12345:ctrlaltdel:/sbin/shutdown -r now
> 
> Testing my single-user box with the above line in  inittab ,
> I find that if I enter 'A-^Del' , I exit X to the raw terminal ;
> another 'A-^Del' then reboots the box.  If I enter 'shutdown -r now' as user,
> I get "shutdown: you must be root to do that!".  'cd /sbin ; ls -l shutdown'
> shows '-rwxr-xr-x 1 root root 23192 May 17 2014 shutdown',
> so that behaviour arises from the shutdown script, not the permissions.
> 
> The 1st effect is explained in  ~/.fluxbox/keys  by
> # exit fluxbox
> Control Mod1 Delete :Exit
> 
> However, the 2nd effect is not explained so easily :
> 'A-^Del' reboots when entered at a raw terminal,
> but 'shutdown -r now' does not, yet the former is defined as the latter
> by the line above in my  /etc/inittab .
> 
> The cause seems to be that 'A-^Del' is intercepted by 'init' (Process 1),
> which is owned by root, but 'shutdown -r now' is heard by Process 910
> -- 'bash' running in the raw terminal, which was started by 'init' -- ,
> which is owned by my user.
> 
> So the behaviour is explained, but following my earlier msg,
> which advised to follow proper Unix principles,
> I should comment the 'A-^Del' line in  inittab :
> if the raw terminal can't react to 'su', it won't react to 'A-^Del' either,
> so there's no justification in terms of escaping from an emergency.

When you press ctrl-alt-delete kernel recieves  it and sends it to the program that has grabbed the keyboard. If this program doesn't trap the sequence it goes to the parent program. Like if you are running a terminal in X it first goes to the shell then terminal and then to X-server.

Now usually X traps that and performs what ever action is configured. If you set X not to trap the key press it goes all the way down back to the kernel. When kernel receives it it generates hang-up signal and sends it to the PID 1 aka init. And then executes the command in inittab.

ca:12345:ctrlaltdel:/bin/echo "shutdown"

And then:
kill -HUP 1

Will print "shutdown" to your console. If you write a small program that traps ctrl-alt-del and run that in terminal, the server will not reboot :)

>>> pressing the reset button is far worse, since there's no clean shutdown,
>>> unmounting filesystems after flushing caches, etc.
> 
> Yes : that's forced only when the keyboard ceases to respond.
> 
>>> Because of that, the default of allowing ctrl+alt+del for local users
>>> makes more sense than disabling it.
> 
> That doesn't follow : if you have multiple users,
> you don't want some rogue user rebooting randomly ;
> it makes sense only as a convenience on a single-user system.
> It seems to be the default behaviour of 'inittab'
> -- there no comment saying I set it myself, which I would have added -- ,
> which is not appropriate for Gentoo systems in general,
> some of which are undoubtedly multi-user.

On a multi-user system only the user sitting on the local terminal can press ctrl-alt-del and reboot the machine as he could also hit the server with a sledge hammer :)

-- 
-Matti

Re: [gentoo-user] Re: How to poweroff the system from user?

[lee]

Philip Webb <purslow@ca.inter.net> writes:

> 150322 Peter Humphrey wrote:
>> On Sunday 22 March 2015 13:04:44 Nikos Chantziaras wrote:
>>>> I can reboot the system when I am a user by Ctrl+Alt+Delete.
>>>> The user can reboot the system, but can't shut down ?  Strange
>>> The thinking is that you can unplug the machine
>>> or press the hardware reset or power button or flip the PSU switch ...
>>> Preventing a ctrl+alt+del reboot does not add anything to security.
>>> Security doesn't apply to users with physical access to the machine.
>>> However, this is just a default. You can easily disable reboot
>>> on ctrl+alt+del by editing /etc/inittab and commenting-out this line:
>>>   ca:12345:ctrlaltdel:/sbin/shutdown -r now
>
> Testing my single-user box with the above line in  inittab ,
> I find that if I enter 'A-^Del' , I exit X to the raw terminal ;

That's usually Ctrl+Alt+Backspace.  I had to turn that off with 'Option
"DontZap" "true"' in the server section of xorg.conf because I somehow
happen to press that accidentally about once a month :/

> The 1st effect is explained in  ~/.fluxbox/keys  by
>   # exit fluxbox
>   Control Mod1 Delete :Exit

So whatever handles keyboard inputs with the X server even intercepts
Ctrl+Alt+Del?

Does fluxbox quit all programs nicely before it exits?

> However, the 2nd effect is not explained so easily :
> 'A-^Del' reboots when entered at a raw terminal,
> but 'shutdown -r now' does not, yet the former is defined as the latter
> by the line above in my  /etc/inittab .
>
> The cause seems to be that 'A-^Del' is intercepted by 'init' (Process 1),
> which is owned by root, but 'shutdown -r now' is heard by Process 910
> -- 'bash' running in the raw terminal, which was started by 'init' -- ,
> which is owned by my user.
>
> So the behaviour is explained, but following my earlier msg,
> which advised to follow proper Unix principles,
> I should comment the 'A-^Del' line in  inittab :
> if the raw terminal can't react to 'su', it won't react to 'A-^Del' either,
> so there's no justification in terms of escaping from an emergency.

What happens when you comment out the entry in inittab and someone
presses Ctrl+Alt+Del?  Nothing?

>>> pressing the reset button is far worse, since there's no clean shutdown,
>>> unmounting filesystems after flushing caches, etc.
>
> Yes : that's forced only when the keyboard ceases to respond.
>
>>> Because of that, the default of allowing ctrl+alt+del for local users
>>> makes more sense than disabling it.
>
> That doesn't follow : if you have multiple users,
> you don't want some rogue user rebooting randomly ;
> it makes sense only as a convenience on a single-user system.
> It seems to be the default behaviour of 'inittab'
> -- there no comment saying I set it myself, which I would have added -- ,
> which is not appropriate for Gentoo systems in general,
> some of which are undoubtedly multi-user.

Undefined behaviour as the default also isn't ideal, and I agree that
"nothing happens" would be much better:

What's the last time you pressed Ctrl+Alt+Del and it actually worked?
It's a legacy thing from times when freezes/crashes were common and when
it did work and was useful.

Nowadays, when you're pressing it, usually nothing happens anyway
because the machine is down to where you have to press the reset button
or to turn off the power (if you can't log in with ssh).  When the
machine still works, Ctrl+Alt+Del also works, which means that the
default does nothing but create a security hole.

So how can we have this default changed?


-- 
Again we must be afraid of speaking of daemons for fear that daemons
might swallow us.  Finally, this fear has become reasonable.

Re: [gentoo-user] Re: How to poweroff the system from user?

[Fernando Rodriguez]

On Sunday, March 29, 2015 12:23:00 PM lee wrote:
> Philip Webb <purslow@ca.inter.net> writes:
> What's the last time you pressed Ctrl+Alt+Del and it actually worked?
> It's a legacy thing from times when freezes/crashes were common and when
> it did work and was useful.
> 
> Nowadays, when you're pressing it, usually nothing happens anyway
> because the machine is down to where you have to press the reset button
> or to turn off the power (if you can't log in with ssh).  When the
> machine still works, Ctrl+Alt+Del also works, which means that the
> default does nothing but create a security hole.

On Linux now there's the Magic SysRq Key feature for that. If enabled (I think 
it is by default, may be wrong) you can use ctrl-alt-sysrq plus one these keys 
even if your kernel panics or freezes in most cases (ctrl may only be needed 
from xorg):

r - to get the keyboard back so you can switch to VT if xorg freezes
e - to terminate all processes gracefully (SIGTERM) except pid 1
i - to terminate all processes forcefully (SIGKILL) except pid 1
s - to sync all filesystems 
u - to unmount them and remount readonly
b - to reboot

Easy to remember as "Reboot Even If System Utterly Broken"
There's a lot of other commands in the kernel docs sysrq.txt
 
> So how can we have this default changed?

Somebody posted that on this very thread. Replace the ctrlaltdel entry on 
inittab with /bin/false.

-- 
Fernando Rodriguez

Re: [gentoo-user] Re: How to poweroff the system from user?

[Fernando Rodriguez]

On Tuesday, March 31, 2015 1:57:32 AM Fernando Rodriguez wrote:
> On Sunday, March 29, 2015 12:23:00 PM lee wrote:
> > Philip Webb <purslow@ca.inter.net> writes:
> > What's the last time you pressed Ctrl+Alt+Del and it actually worked?
> > It's a legacy thing from times when freezes/crashes were common and when
> > it did work and was useful.
> > 
> > Nowadays, when you're pressing it, usually nothing happens anyway
> > because the machine is down to where you have to press the reset button
> > or to turn off the power (if you can't log in with ssh).  When the
> > machine still works, Ctrl+Alt+Del also works, which means that the
> > default does nothing but create a security hole.
> 
> On Linux now there's the Magic SysRq Key feature for that. If enabled (I 
think 
> it is by default, may be wrong) you can use ctrl-alt-sysrq plus one these 
keys 
> even if your kernel panics or freezes in most cases (ctrl may only be needed 
> from xorg):
> 
> r - to get the keyboard back so you can switch to VT if xorg freezes
> e - to terminate all processes gracefully (SIGTERM) except pid 1
> i - to terminate all processes forcefully (SIGKILL) except pid 1
> s - to sync all filesystems 
> u - to unmount them and remount readonly
> b - to reboot
> 
> Easy to remember as "Reboot Even If System Utterly Broken"
> There's a lot of other commands in the kernel docs sysrq.txt
>  
> > So how can we have this default changed?
> 
> Somebody posted that on this very thread. Replace the ctrlaltdel entry on 
> inittab with /bin/false.
> 
> 
Actually it says after a crash or freeze but not a panic.
-- 
Fernando Rodriguez

Re: [gentoo-user] Re: How to poweroff the system from user?

[Tom H]

On Tue, Mar 31, 2015 at 1:57 AM, Fernando Rodriguez
<frodriguez.developer@outlook.com> wrote:


> On Linux now there's the Magic SysRq Key feature for that. If enabled (I think
> it is by default, may be wrong) you can use ctrl-alt-sysrq plus one these keys
> even if your kernel panics or freezes in most cases (ctrl may only be needed
> from xorg):
>
> r - to get the keyboard back so you can switch to VT if xorg freezes
> e - to terminate all processes gracefully (SIGTERM) except pid 1
> i - to terminate all processes forcefully (SIGKILL) except pid 1
> s - to sync all filesystems
> u - to unmount them and remount readonly
> b - to reboot

You have to set "MAGIC_SYSRQ" to "y" for it to be enabled.

You can set the "capabilities" of sysrq either via
'MAGIC_SYSRQ_DEFAULT_ENABLE" or via sysctl. Debian uses the former (to
set it to 438) and Ubuntu and Fedora use the latter (to set it to 176
and 16 respectively). "16" is systemd upstream's default whereby you
can only sync filesystems. It's the kind of value that can be the
source of a lot of arguing...


> Easy to remember as "Reboot Even If System Utterly Broken"

I remember it as the reverse of "busier".

Re: [gentoo-user] Re: How to poweroff the system from user?

[Emanuele Rusconi]

> > Easy to remember as "Reboot Even If System Utterly Broken"
>
> I remember it as the reverse of "busier".
>

A variant I read somewhere is "Raising (Skinny) Elephants Is So Utterly Boring".
"Skinny" is an extra optional sync, it doesn't hurt and makes the
mnemonic funnier.

Re: [gentoo-user] Re: How to poweroff the system from user?

[Tom H]

On Tue, Mar 31, 2015 at 5:42 AM, Emanuele Rusconi <emarsk@gmail.com> wrote:
>>>
>>> Easy to remember as "Reboot Even If System Utterly Broken"
>>
>> I remember it as the reverse of "busier".
>
> A variant I read somewhere is "Raising (Skinny) Elephants Is So Utterly Boring".
> "Skinny" is an extra optional sync, it doesn't hurt and makes the
> mnemonic funnier.

:)

Re: [gentoo-user] Re: How to poweroff the system from user?

[lee]

Fernando Rodriguez <frodriguez.developer@outlook.com> writes:

> On Sunday, March 29, 2015 12:23:00 PM lee wrote:
>> Philip Webb <purslow@ca.inter.net> writes:
>> What's the last time you pressed Ctrl+Alt+Del and it actually worked?
>> It's a legacy thing from times when freezes/crashes were common and when
>> it did work and was useful.
>> 
>> Nowadays, when you're pressing it, usually nothing happens anyway
>> because the machine is down to where you have to press the reset button
>> or to turn off the power (if you can't log in with ssh).  When the
>> machine still works, Ctrl+Alt+Del also works, which means that the
>> default does nothing but create a security hole.
>
> On Linux now there's the Magic SysRq Key feature for that.

I always can't remember which keys to press with that, so I have it
disabled.

And when the keyboard is unresponsive, it won't work.

>> So how can we have this default changed?
>
> Somebody posted that on this very thread. Replace the ctrlaltdel entry on 
> inittab with /bin/false.

Oh I mean the *default*.  We should not need to change the inittab to
have it disabled by default.

Isn't commenting out the whole line sufficient?


-- 
Again we must be afraid of speaking of daemons for fear that daemons
might swallow us.  Finally, this fear has become reasonable.

Re: [gentoo-user] Re: How to poweroff the system from user?

[Rich Freeman]

On Sat, Apr 4, 2015 at 8:41 AM, lee <lee@yagibdah.de> wrote:
>
> Oh I mean the *default*.  We should not need to change the inittab to
> have it disabled by default.
>
> Isn't commenting out the whole line sufficient?
>

Uh, commenting out the line is changing the inittab (and I have no
idea if it works or not offhand).

With Gentoo I prefer to not have huge religious debates about Gentoo.
We try to give users as much choice as possible which lets us sidestep
stupid arguments about whether such-and-such is better than something
else.  The problem is that by their nature there usually can only be
one default (or one default default if you want to make it turtles all
the way down with profiles and such).  So, suddenly we end up fighting
over this stuff anyway...

-- 
Rich

Re: [gentoo-user] Re: How to poweroff the system from user?

[lee]

Rich Freeman <rich0@gentoo.org> writes:

> On Sat, Apr 4, 2015 at 8:41 AM, lee <lee@yagibdah.de> wrote:
>>
>> Oh I mean the *default*.  We should not need to change the inittab to
>> have it disabled by default.
>>
>> Isn't commenting out the whole line sufficient?
>>
>
> Uh, commenting out the line is changing the inittab (and I have no
> idea if it works or not offhand).
>
> With Gentoo I prefer to not have huge religious debates about Gentoo.
> We try to give users as much choice as possible which lets us sidestep
> stupid arguments about whether such-and-such is better than something
> else.  The problem is that by their nature there usually can only be
> one default (or one default default if you want to make it turtles all
> the way down with profiles and such).  So, suddenly we end up fighting
> over this stuff anyway...

Living in the past is not onwardly a good default.


(At first I wanted to say "Living in the past seldom is a good default."
--- but the usage of "seldom" and the idea of using "seldomly" gave me
to think, and it seems that "seldom" can mean something like "not
onwardly".  And I don't know whether it should be "Living in the past is
seldom a good default." --- which even I notice could be considered as
rather unfriendly by native English speakers --- or "... seldom is ...".
However, "not onwardly" might create an interesting tautology here, so
it has it's merits.)


-- 
Again we must be afraid of speaking of daemons for fear that daemons
might swallow us.  Finally, this fear has become reasonable.

Re: [gentoo-user] Re: How to poweroff the system from user?

[lee]

lee <lee@yagibdah.de> writes:

> Living in the past is not onwardly a good default.

s/is not onwardly/seldwhen is/

Re: [gentoo-user] Re: How to poweroff the system from user?

[Fernando Rodriguez]

On Saturday, April 04, 2015 2:41:12 PM lee wrote:
> I always can't remember which keys to press with that, so I have it
> disabled.
> 
> And when the keyboard is unresponsive, it won't work.

It will in many cases (probably most). Usually it's xorg that "freezes" the 
keyboard, in those cases ctrl-alt-sysrq-r followed by ctrl-alt-f1 should get 
you to the VT where you can restart xorg. I think the kernel needs to be 
completely locked with interrupts disabled or locked in a higher priority 
interrupt (unlikely) for it not to work or the USB stack totally broken. I can 
see some of the commands failing or even completely locking the kernel if 
something's really messed up.

-- 
Fernando Rodriguez

Re: [gentoo-user] Re: How to poweroff the system from user?

[lee]

Fernando Rodriguez <frodriguez.developer@outlook.com> writes:

> On Saturday, April 04, 2015 2:41:12 PM lee wrote:
>> I always can't remember which keys to press with that, so I have it
>> disabled.
>> 
>> And when the keyboard is unresponsive, it won't work.
>
> It will in many cases (probably most). Usually it's xorg that "freezes" the 
> keyboard, in those cases ctrl-alt-sysrq-r followed by ctrl-alt-f1 should get 
> you to the VT where you can restart xorg. I think the kernel needs to be 
> completely locked with interrupts disabled or locked in a higher priority 
> interrupt (unlikely) for it not to work or the USB stack totally broken. I can 
> see some of the commands failing or even completely locking the kernel if 
> something's really messed up.

How do you remember these keys?  A long time ago, I even printed a list,
and of course, it got lost before I ever came close to needing it.
Paper is just too volatile.


-- 
Again we must be afraid of speaking of daemons for fear that daemons
might swallow us.  Finally, this fear has become reasonable.

Re: [gentoo-user] Re: How to poweroff the system from user?

[Fernando Rodriguez]

On Tuesday, April 07, 2015 9:21:38 PM lee wrote:
> Fernando Rodriguez <frodriguez.developer@outlook.com> writes:
> 
> > On Saturday, April 04, 2015 2:41:12 PM lee wrote:
> >> I always can't remember which keys to press with that, so I have it
> >> disabled.
> >> 
> >> And when the keyboard is unresponsive, it won't work.
> >
> > It will in many cases (probably most). Usually it's xorg that "freezes" 
the 
> > keyboard, in those cases ctrl-alt-sysrq-r followed by ctrl-alt-f1 should 
get 
> > you to the VT where you can restart xorg. I think the kernel needs to be 
> > completely locked with interrupts disabled or locked in a higher priority 
> > interrupt (unlikely) for it not to work or the USB stack totally broken. I 
can 
> > see some of the commands failing or even completely locking the kernel if 
> > something's really messed up.
> 
> How do you remember these keys?  A long time ago, I even printed a list,
> and of course, it got lost before I ever came close to needing it.
> Paper is just too volatile.

Like I said: "Reboot Even If System Utterly Broken" I don't have a way to 
remember the specific keys other than knowing what the shutdown sequence is.



-- 
Fernando Rodriguez

Re: [gentoo-user] Re: How to poweroff the system from user?

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 839 bytes --]

On Tue, 07 Apr 2015 21:21:38 +0200, lee wrote:

> > It will in many cases (probably most). Usually it's xorg that
> > "freezes" the keyboard, in those cases ctrl-alt-sysrq-r followed by
> > ctrl-alt-f1 should get you to the VT where you can restart xorg. I
> > think the kernel needs to be completely locked with interrupts
> > disabled or locked in a higher priority interrupt (unlikely) for it
> > not to work or the USB stack totally broken. I can see some of the
> > commands failing or even completely locking the kernel if something's
> > really messed up.  
> 
> How do you remember these keys? 

BUSIER backwards, or bookmark
http://en.wikipedia.org/wiki/Magic_SysRq_key in your phone's browser :)

-- 
Neil Bothwick

Q. What is the difference between Queensland and yoghurt?
A. Yoghurt has an active culture.

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

Re: [gentoo-user] Re: How to poweroff the system from user?

[lee]

Neil Bothwick <neil@digimed.co.uk> writes:

> On Tue, 07 Apr 2015 21:21:38 +0200, lee wrote:
>
>> > It will in many cases (probably most). Usually it's xorg that
>> > "freezes" the keyboard, in those cases ctrl-alt-sysrq-r followed by
>> > ctrl-alt-f1 should get you to the VT where you can restart xorg. I
>> > think the kernel needs to be completely locked with interrupts
>> > disabled or locked in a higher priority interrupt (unlikely) for it
>> > not to work or the USB stack totally broken. I can see some of the
>> > commands failing or even completely locking the kernel if something's
>> > really messed up.  
>> 
>> How do you remember these keys? 
>
> BUSIER backwards, or bookmark
> http://en.wikipedia.org/wiki/Magic_SysRq_key in your phone's browser :)

Phone's browser?


-- 
Again we must be afraid of speaking of daemons for fear that daemons
might swallow us.  Finally, this fear has become reasonable.

Re: [gentoo-user] Re: How to poweroff the system from user?

[Emanuele Rusconi]

On 8 April 2015 at 23:47, lee <lee@yagibdah.de> wrote:
>
> Neil Bothwick <neil@digimed.co.uk> writes:
>
> > On Tue, 07 Apr 2015 21:21:38 +0200, lee wrote:
> >
> > > How do you remember these keys?
> >
> > BUSIER backwards, or bookmark
> > http://en.wikipedia.org/wiki/Magic_SysRq_key in your phone's browser :)
>
> Phone's browser?

If you need the SysRq trick, you probably can't use your computer's browser ;) .

-- Emanuele Rusconi

Re: [gentoo-user] Re: How to poweroff the system from user?

[lee]

Emanuele Rusconi <emarsk@gmail.com> writes:

> On 8 April 2015 at 23:47, lee <lee@yagibdah.de> wrote:
>>
>> Neil Bothwick <neil@digimed.co.uk> writes:
>>
>> > On Tue, 07 Apr 2015 21:21:38 +0200, lee wrote:
>> >
>> > > How do you remember these keys?
>> >
>> > BUSIER backwards, or bookmark
>> > http://en.wikipedia.org/wiki/Magic_SysRq_key in your phone's browser :)
>>
>> Phone's browser?
>
> If you need the SysRq trick, you probably can't use your computer's browser ;) .

Then I won't have a browser I could use.


-- 
Again we must be afraid of speaking of daemons for fear that daemons
might swallow us.  Finally, this fear has become reasonable.

Re: [gentoo-user] Re: How to poweroff the system from user?

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 557 bytes --]

On Wed, 15 Apr 2015 00:06:33 +0200, lee wrote:

> >> > > How do you remember these keys?  
> >> >
> >> > BUSIER backwards, or bookmark
> >> > http://en.wikipedia.org/wiki/Magic_SysRq_key in your phone's
> >> > browser :)  
> >>
> >> Phone's browser?  
> >
> > If you need the SysRq trick, you probably can't use your computer's
> > browser ;) .  
> 
> Then I won't have a browser I could use.

Never mind, there's always Post-It notes - they aren't only for passwords.


-- 
Neil Bothwick

Always be sincere even if you don't mean it.

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

Re: [gentoo-user] Re: How to poweroff the system from user?

[lee]

Neil Bothwick <neil@digimed.co.uk> writes:

> On Wed, 15 Apr 2015 00:06:33 +0200, lee wrote:
>
>> >> > > How do you remember these keys?  
>> >> >
>> >> > BUSIER backwards, or bookmark
>> >> > http://en.wikipedia.org/wiki/Magic_SysRq_key in your phone's
>> >> > browser :)  
>> >>
>> >> Phone's browser?  
>> >
>> > If you need the SysRq trick, you probably can't use your computer's
>> > browser ;) .  
>> 
>> Then I won't have a browser I could use.
>
> Never mind, there's always Post-It notes - they aren't only for passwords.

That isn't better than printing the key bindings ...


-- 
Again we must be afraid of speaking of daemons for fear that daemons
might swallow us.  Finally, this fear has become reasonable.

Re: [gentoo-user] Re: How to poweroff the system from user?

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 494 bytes --]

On Sat, 04 Apr 2015 14:41:12 +0200, lee wrote:

> > On Linux now there's the Magic SysRq Key feature for that.  
> 
> I always can't remember which keys to press with that, so I have it
> disabled.

BUSIER backwards.

> And when the keyboard is unresponsive, it won't work.

It usually does. The kernel sees the Magic key events directly, so even
if your X server has crashed, it will still respond to Alt-SysReq.


-- 
Neil Bothwick

Linux users do it without paying a Bill

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

Re: [gentoo-user] Re: How to poweroff the system from user?

[Dale]

Neil Bothwick wrote:
> On Sat, 04 Apr 2015 14:41:12 +0200, lee wrote:
>
>>> On Linux now there's the Magic SysRq Key feature for that.  
>> I always can't remember which keys to press with that, so I have it
>> disabled.
> BUSIER backwards.
>
>> And when the keyboard is unresponsive, it won't work.
> It usually does. The kernel sees the Magic key events directly, so even
> if your X server has crashed, it will still respond to Alt-SysReq.
>
>

I used that on a few puters.  I don't recall this ever not working.  X
may not see the keyboard but the kernel does.  It's a life saver at
times too.  At least you can sync and unmount cleanly. 

Dale

:-)  :-) 

Re: [gentoo-user] Re: How to poweroff the system from user?

[Rich Freeman]

On Sun, Apr 5, 2015 at 3:27 AM, Dale <rdalek1967@gmail.com> wrote:
> Neil Bothwick wrote:
>> On Sat, 04 Apr 2015 14:41:12 +0200, lee wrote:
>>
>>>> On Linux now there's the Magic SysRq Key feature for that.
>>> I always can't remember which keys to press with that, so I have it
>>> disabled.
>> BUSIER backwards.
>>
>>> And when the keyboard is unresponsive, it won't work.
>> It usually does. The kernel sees the Magic key events directly, so even
>> if your X server has crashed, it will still respond to Alt-SysReq.
>>
>>
>
> I used that on a few puters.  I don't recall this ever not working.  X
> may not see the keyboard but the kernel does.  It's a life saver at
> times too.  At least you can sync and unmount cleanly.
>

If you're dealing with a kernel panic of some kind (which you
inevitably are when you are doing this sort of thing), all bets are
off.  I'll agree that usually the magic sysrq works.  However, there
are certainly going to be cases where it doesn't, or at least where
parts of it don't work.  In my case the part that usually fails for me
right now is btrfs, so unmounting won't work anyway (though I guess it
will take care of the ext4 backup partition that is only rarely
touched anyway).

-- 
Rich

Re: [gentoo-user] Re: How to poweroff the system from user?

[Dale]

Rich Freeman wrote:
> On Sun, Apr 5, 2015 at 3:27 AM, Dale <rdalek1967@gmail.com> wrote:
>> Neil Bothwick wrote:
>>> On Sat, 04 Apr 2015 14:41:12 +0200, lee wrote:
>>>
>>>>> On Linux now there's the Magic SysRq Key feature for that.
>>>> I always can't remember which keys to press with that, so I have it
>>>> disabled.
>>> BUSIER backwards.
>>>
>>>> And when the keyboard is unresponsive, it won't work.
>>> It usually does. The kernel sees the Magic key events directly, so even
>>> if your X server has crashed, it will still respond to Alt-SysReq.
>>>
>>>
>> I used that on a few puters.  I don't recall this ever not working.  X
>> may not see the keyboard but the kernel does.  It's a life saver at
>> times too.  At least you can sync and unmount cleanly.
>>
> If you're dealing with a kernel panic of some kind (which you
> inevitably are when you are doing this sort of thing), all bets are
> off.  I'll agree that usually the magic sysrq works.  However, there
> are certainly going to be cases where it doesn't, or at least where
> parts of it don't work.  In my case the part that usually fails for me
> right now is btrfs, so unmounting won't work anyway (though I guess it
> will take care of the ext4 backup partition that is only rarely
> touched anyway).
>


That is true but it seems to work most of the time for the usual
failures.  Ask some old timers on this list, hitting reset or having to
pull the plug from the wall really gets on my nerve, every single one of
them and in a hurry.  Dare I think about hal and what a mess it caused
for me. 

Dale

:-)  :-) 

Re: [gentoo-user] How to poweroff the system from user?

[Jc García]

2015-03-22 4:30 GMT-06:00 Peter Humphrey <peter@prh.myzen.co.uk>:
> On Saturday 21 March 2015 16:20:17 Jc García wrote:
>> > Interesting. But as I said ealier, I can reboot the system when I am a
>> > user by Ctrl+Alt+Delete. The user can reboot the system, but can't shut
>> > down? Strange
>> It's not strange,  `man 2 reboot`. It's a defined behavior.
>
> I'm with German here. Being designed that way doesn't stop it being strange.
>

I see it as a last resource available for rebooting under any
circumstances( Similar to what you can do with Sysrq).


> Consider: I'm an ordinary user sitting at a terminal. I'm not allowed to
> halt the machine, but I am allowed to reboot it into perhaps some quite
> other configuration. Or I can keep rebooting it over and again, effectively
> preventing the machine from doing its job. How does that make sense?
>

It doesn't and that's why it's configurable, if you are in a high
security requiring environment, you disable it.

Re: [gentoo-user] How to poweroff the system from user?

[Peter Humphrey]

On Sunday 22 March 2015 14:36:36 Jc García wrote:
> 2015-03-22 4:30 GMT-06:00 Peter Humphrey <peter@prh.myzen.co.uk>:
> > On Saturday 21 March 2015 16:20:17 Jc García wrote:
> >> > Interesting. But as I said ealier, I can reboot the system when I am
> >> > a
> >> > user by Ctrl+Alt+Delete. The user can reboot the system, but can't
> >> > shut
> >> > down? Strange
> >> 
> >> It's not strange,  `man 2 reboot`. It's a defined behavior.
> > 
> > I'm with German here. Being designed that way doesn't stop it being
> > strange.
> I see it as a last resource available for rebooting under any
> circumstances( Similar to what you can do with Sysrq).
> 
> > Consider: I'm an ordinary user sitting at a terminal. I'm not allowed to
> > halt the machine, but I am allowed to reboot it into perhaps some quite
> > other configuration. Or I can keep rebooting it over and again,
> > effectively preventing the machine from doing its job. How does that
> > make sense?
> It doesn't and that's why it's configurable, if you are in a high
> security requiring environment, you disable it.

The consensus seems to be that there's no point in trying to prevent a user 
from rebooting the machine, and I'm happy to go along with that.

The remaining question is: why is the user not allowed to halt it?

-- 
Rgds
Peter.

回复：Re: [gentoo-user] How to poweroff the system from user?

[Nicol TAO]

[-- Attachment #1: Type: text/plain, Size: 1426 bytes --]

just security problem. server should not be that easy to be interrupted!


在2015年03月23日 17:46，Peter Humphrey 写道:
On Sunday 22 March 2015 14:36:36 Jc García wrote:
> 2015-03-22 4:30 GMT-06:00 Peter Humphrey <peter@prh.myzen.co.uk>:
> > On Saturday 21 March 2015 16:20:17 Jc García wrote:
> >> > Interesting. But as I said ealier, I can reboot the system when I am
> >> > a
> >> > user by Ctrl+Alt+Delete. The user can reboot the system, but can't
> >> > shut
> >> > down? Strange
> >>
> >> It's not strange,  `man 2 reboot`. It's a defined behavior.
> >
> > I'm with German here. Being designed that way doesn't stop it being
> > strange.
> I see it as a last resource available for rebooting under any
> circumstances( Similar to what you can do with Sysrq).
>
> > Consider: I'm an ordinary user sitting at a terminal. I'm not allowed to
> > halt the machine, but I am allowed to reboot it into perhaps some quite
> > other configuration. Or I can keep rebooting it over and again,
> > effectively preventing the machine from doing its job. How does that
> > make sense?
> It doesn't and that's why it's configurable, if you are in a high
> security requiring environment, you disable it.

The consensus seems to be that there's no point in trying to prevent a user
from rebooting the machine, and I'm happy to go along with that.

The remaining question is: why is the user not allowed to halt it?

--
Rgds
Peter.



[-- Attachment #2: Type: text/html, Size: 2612 bytes --]

Re: [gentoo-user] How to poweroff the system from user?

[Rich Freeman]

On Mon, Mar 23, 2015 at 5:46 AM, Peter Humphrey <peter@prh.myzen.co.uk> wrote:
>
> The remaining question is: why is the user not allowed to halt it?
>

Keep in mind there are many ways that a unix-like OS can be used.  It
could be running on a laptop, or it could be running on a multi-user
system where 50 people are logged in at any given time.  In the former
case you want a desktop-like experience where the user can just hit
the shutdown button, and in the latter case you don't want users
powering off the server which might be 4 states away.

The old solution to this was just having the system owner run sudo
poweroff.  Then desktop environments came up with a way to allow a
logged in user to send a command back to the display manager (which
runs as root) to tell it to shut down the system, and made whether
that is allowed configurable.  The most recent evolution of this is
consolekit/logind, which distinguishes users logged in at the system
console from those logged in remotely and grants the authority to
shutdown the system if you're local.  This approach also does things
like assign permissions to audio devices as well, so that only the
person sitting at the console can spy on the console using the
microphone and you don't need to control this manually using an audio
group.

The other trend is for unprivileged processes access privileged
functions via dbus, controlled by polkit.  This allows granular
control over what users/groups/etc can run what functions, potentially
based on whether they're at a local console or not.  You can even
control that particular functions require a root password or for the
user to re-enter their password.  This puts all the policy rules in
/etc and reduces the amount of per-application configuration.  It is a
bit like sudoers, but with more fine-grained control and without
getting into hard-coding command lines (which can be a bit clumsy).
The traditional downside to this approach has been the need to run
dbus, but this is moving into the kernel and the intent is to
encourage processes to utilize it as the main IPC mechanism.

The end goal is to try to get reasonable default behavior without
requiring either desktop or server administrators to have to do much,
or to have to designate a distro as being primarily desktop vs server
in nature.  On a server nobody is logged in via the console, so you
get restricted privileges by default.  On a desktop the main user is
logged in via the console and can use their webcam+mic, but others who
might be allowed to login cannot remotely connect over the network and
spy on the same.  However, all of this is configurable - you can stick
rules in /etc which change these behaviors.

-- 
Rich

[gentoo-user] Re: How to poweroff the system from user?

[Nikos Chantziaras]

On 23/03/15 11:46, Peter Humphrey wrote:
> The consensus seems to be that there's no point in trying to prevent a user
> from rebooting the machine, and I'm happy to go along with that.
>
> The remaining question is: why is the user not allowed to halt it?

Because there's no keyboard shortcut for halt. Only for reboot :-)

Re: [gentoo-user] Re: How to poweroff the system from user?

[Matti Nykyri]

> On Mar 23, 2015, at 14:13, Nikos Chantziaras <realnc@gmail.com> wrote:
> 
>> On 23/03/15 11:46, Peter Humphrey wrote:
>> The consensus seems to be that there's no point in trying to prevent a user
>> from rebooting the machine, and I'm happy to go along with that.
>> 
>> The remaining question is: why is the user not allowed to halt it?
> 
> Because there's no keyboard shortcut for halt. Only for reboot :-)

Well you can set init to run halt on ctrl-alt-up arrow -keypress.

-- 
-Matti

[gentoo-user] Re: How to poweroff the system from user?

[Nikos Chantziaras]

On 23/03/15 14:16, Matti Nykyri wrote:
>> On Mar 23, 2015, at 14:13, Nikos Chantziaras <realnc@gmail.com> wrote:
>>
>>> On 23/03/15 11:46, Peter Humphrey wrote:
>>> The consensus seems to be that there's no point in trying to prevent a user
>>> from rebooting the machine, and I'm happy to go along with that.
>>>
>>> The remaining question is: why is the user not allowed to halt it?
>>
>> Because there's no keyboard shortcut for halt. Only for reboot :-)
>
> Well you can set init to run halt on ctrl-alt-up arrow -keypress.

This is mostly about standard expectations though. No one expects to 
halt the machine with the vulcan pinch. You press the power button for 
that, which does a safe shutdown in the majority of setups (unless you 
have all power management features disabled.)

Nowadays, only the reset button is a source of evil, as it's not handled 
by ACPI (or other power management mechanisms). It really is hardwired 
into resetting the the mainboard/cpu.

So:

Rebooting with ctrl+alt+del: safe
Halting by pressing the machine's power button: safe
Pressing the machine's reset button: Ouch!

Of course, back in the bad old days, the power button would simply cut 
power. There was no ACPI or anything equivalent. But still, even then, 
there was no keyboard shortcut for "halt" anyway, so people weren't 
expecting to be able to safely halt a machine without root access. The 
ability to reboot safely, on the other hand, was always expected.

Re: [gentoo-user] How to poweroff the system from user?

[Emanuele Rusconi]

[-- Attachment #1: Type: text/plain, Size: 2036 bytes --]

On 23 March 2015 at 10:46, Peter Humphrey <peter@prh.myzen.co.uk> wrote:

> On Sunday 22 March 2015 14:36:36 Jc García wrote:
> > 2015-03-22 4:30 GMT-06:00 Peter Humphrey <peter@prh.myzen.co.uk>:
> > > On Saturday 21 March 2015 16:20:17 Jc García wrote:
> > >> > Interesting. But as I said ealier, I can reboot the system when I am
> > >> > a
> > >> > user by Ctrl+Alt+Delete. The user can reboot the system, but can't
> > >> > shut
> > >> > down? Strange
> > >>
> > >> It's not strange,  `man 2 reboot`. It's a defined behavior.
> > >
> > > I'm with German here. Being designed that way doesn't stop it being
> > > strange.
> > I see it as a last resource available for rebooting under any
> > circumstances( Similar to what you can do with Sysrq).
> >
> > > Consider: I'm an ordinary user sitting at a terminal. I'm not allowed
> to
> > > halt the machine, but I am allowed to reboot it into perhaps some quite
> > > other configuration. Or I can keep rebooting it over and again,
> > > effectively preventing the machine from doing its job. How does that
> > > make sense?
> > It doesn't and that's why it's configurable, if you are in a high
> > security requiring environment, you disable it.
>
> The consensus seems to be that there's no point in trying to prevent a user
> from rebooting the machine, and I'm happy to go along with that.
>
> The remaining question is: why is the user not allowed to halt it?
>
> --
> Rgds
> Peter.
>
>
>
Maybe some people here missed my post.

You CAN allow the user to halt: just substitute
ca:12345:ctrlaltdel:/sbin/shutdown -r now
with
ca:12345:ctrlaltdel:/sbin/shutdown -P now
in /etc/inittab and Ctrl-Alt-Del will shutdown instead of reboot.

In fact, Ctrl-Alt-Del can be set up to do whatever you want and will
have root privileges.

If this is a security hole for your use case, you can comment it or set
it to
ca:12345:ctrlaltdel: /bin/echo 'Hey, don't touch me there!'
, or you can disable it entirely in the kernel.
--
Emanuele

[-- Attachment #2: Type: text/html, Size: 2987 bytes --]

Re: [gentoo-user] How to poweroff the system from user?

[lee]

Peter Humphrey <peter@prh.myzen.co.uk> writes:

> The remaining question is: why is the user not allowed to halt it?

It's because a user who wants to somewhat permanently disrupt the
services the machine provides would need to remain at the keyboard to
continue to reboot it and thus can be caught more easily than a user who
shuts the machine down and then escapes.

This is assuming that a user who does such things isn't smart enough to
enter the BIOS setup before they escape, which characterizes users doing
such things.


That leaves the question why a user who isn't even logged in should be
able to reboot, which IIRC they can by default with Ctrl+Alt+Del.  Such
users shouldn't be allowed to do anything but to log in.


-- 
Again we must be afraid of speaking of daemons for fear that daemons
might swallow us.  Finally, this fear has become reasonable.

Re: [gentoo-user] How to poweroff the system from user?

[Walter Dnes]

On Sun, Mar 29, 2015 at 12:43:12PM +0200, lee wrote

> That leaves the question why a user who isn't even logged in should
> be able to reboot, which IIRC they can by default with Ctrl+Alt+Del.
> Such users shouldn't be allowed to do anything but to log in.

  As the old saying goes... "If you don't have physical security, you
don't have any security".  A malicious person at the physical keyboard
of the machine could just as easily yank the power cord of out of the
wall, insert a USB key into the machine, plug the machine back in, boot
up from the USB key, and copy over malicious binaries.

-- 
Walter Dnes <waltdnes@waltdnes.org>
I don't run "desktop environments"; I run useful applications

Re: [gentoo-user] How to poweroff the system from user?

[Rich Freeman]

On Sun, Mar 29, 2015 at 7:20 PM, Walter Dnes <waltdnes@waltdnes.org> wrote:
> On Sun, Mar 29, 2015 at 12:43:12PM +0200, lee wrote
>
>> That leaves the question why a user who isn't even logged in should
>> be able to reboot, which IIRC they can by default with Ctrl+Alt+Del.
>> Such users shouldn't be allowed to do anything but to log in.
>
>   As the old saying goes... "If you don't have physical security, you
> don't have any security".  A malicious person at the physical keyboard
> of the machine could just as easily yank the power cord of out of the
> wall, insert a USB key into the machine, plug the machine back in, boot
> up from the USB key, and copy over malicious binaries.
>

With TPM, full-disk encryption, and a verified boot path, you could
actually protect against that scenario (they'd have to tear apart the
TPM chip and try to access the non-volatile storage directly, and the
chips are specifically designed to defeat this).  Secure boot would
not hurt either (with your own keys).  Of course, they could still try
to hack in via USB/PCI/etc, or plant keyloggers and such.  I'm not
suggesting physical security isn't important.  It just isn't a good
reason to completely neglect console security.

-- 
Rich

Re: [gentoo-user] How to poweroff the system from user?

[Walter Dnes]

On Sun, Mar 29, 2015 at 03:30:07PM -0400, Rich Freeman wrote

> With TPM, full-disk encryption, and a verified boot path, you could
> actually protect against that scenario (they'd have to tear apart the
> TPM chip and try to access the non-volatile storage directly, and the
> chips are specifically designed to defeat this).  Secure boot would
> not hurt either (with your own keys).  Of course, they could still try
> to hack in via USB/PCI/etc, or plant keyloggers and such.  I'm not
> suggesting physical security isn't important.  It just isn't a good
> reason to completely neglect console security.

  Be careful what you wish for.  I have my doubts that TPM chips would
boot linux with Microsoft offering "volume discounts" to OEMS.  Call me
cynical.

-- 
Walter Dnes <waltdnes@waltdnes.org>
I don't run "desktop environments"; I run useful applications

Re: [gentoo-user] How to poweroff the system from user?

[Rich Freeman]

On Sun, Mar 29, 2015 at 8:32 PM, Walter Dnes <waltdnes@waltdnes.org> wrote:
>
>   Be careful what you wish for.  I have my doubts that TPM chips would
> boot linux with Microsoft offering "volume discounts" to OEMS.  Call me
> cynical.
>

TPM chips don't control what boots.  They just accept the hash of the
bootloader reported by the firmware and store it (and that is it as
far as the OEM's contribution to the process).  Linux supports TPM
chips, as does trusted grub.  I have no idea if gummiboot or any of
the EFI solutions do (presumably direct to linux works) - you'd need a
TPM-aware bootloader to take advantage of TPM-based full-disk
encryption unless you want to be typing in a password when you boot.
A TPM is still useful with password-based boots since it can enforce a
maximum number of guesses before it destroys the key.  However, the
real magic is when you use a verified boot path so that your system
just magically boots into linux if the boot path is not tampered with,
and if not the hard drive is impossible to read (and you can do all
this while keeping a copy of your disk key safely offline just in
case).

Remember, TPM isn't UEFI - it works differently and has been around in
PCs a lot longer.

-- 
Rich

Re: [gentoo-user] How to poweroff the system from user?

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 886 bytes --]

On Monday 30 Mar 2015 01:52:14 Rich Freeman wrote:
> On Sun, Mar 29, 2015 at 8:32 PM, Walter Dnes <waltdnes@waltdnes.org> wrote:
> >   Be careful what you wish for.  I have my doubts that TPM chips would
> > 
> > boot linux with Microsoft offering "volume discounts" to OEMS.  Call me
> > cynical.
> 
> TPM chips don't control what boots.  They just accept the hash of the
> bootloader reported by the firmware and store it (and that is it as
> far as the OEM's contribution to the process). 

Rich, the problem with TPM as I understand it is that the private key in the 
TPM chip is not yours, generated on your trusted platform, but the TPM 
manufacturer's and is burned into the TPM chip at the time of production.  If 
the TPM OEMs are in US or within the sphere of influence of the US, then I 
would consider this key as good as compromised.

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 473 bytes --]

Re: [gentoo-user] How to poweroff the system from user?

[Rich Freeman]

On Mon, Mar 30, 2015 at 4:09 AM, Mick <michaelkintzios@gmail.com> wrote:
> On Monday 30 Mar 2015 01:52:14 Rich Freeman wrote:
>> On Sun, Mar 29, 2015 at 8:32 PM, Walter Dnes <waltdnes@waltdnes.org> wrote:
>> >   Be careful what you wish for.  I have my doubts that TPM chips would
>> >
>> > boot linux with Microsoft offering "volume discounts" to OEMS.  Call me
>> > cynical.
>>
>> TPM chips don't control what boots.  They just accept the hash of the
>> bootloader reported by the firmware and store it (and that is it as
>> far as the OEM's contribution to the process).
>
> Rich, the problem with TPM as I understand it is that the private key in the
> TPM chip is not yours, generated on your trusted platform, but the TPM
> manufacturer's and is burned into the TPM chip at the time of production.  If
> the TPM OEMs are in US or within the sphere of influence of the US, then I
> would consider this key as good as compromised.

As far as I'm aware, using a TPM for full-disk encryption does not
rely on any keys pre-installed in the TPM.  Typically you install your
own key or have the TPM generate one for you.  All the TPM does is
refuse to divulge the key unless the firmware reported that the
bootloader hash matches what you told it to look out for, and the
bootloader reported that the kernel hash matches what you told it to
look for (and you can go beyond that, but only if you are using a
distro that signs its userspace, which I believe is a direction RedHat
is going).

However, if the TPM or firmware has a back-door, then I'll certainly
grant that the NSA can read your hard drive.  They don't even need to
compromise the TPM - the firmware alone is capable of compromising the
trusted boot path.  It just needs to tell the TPM that it booted your
trusted bootloader when it really booted something else.

Securing your system isn't really about keeping the NSA out.  If they
want in, they're probably already in.  Sure, it might be
hypothetically possible to keep them out, but it would take far more
effort than almost anybody is going to be willing to put in.  A TPM
will likely do a very effective job at keeping the 99.9999999% of
people on the Earth who aren't the NSA out, which seems to be good
enough for just about every company on the planet, since most secure
their laptops with TPMs.

-- 
Rich

Re: [gentoo-user] How to poweroff the system from user?

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 1059 bytes --]

On Monday 30 Mar 2015 01:32:21 Walter Dnes wrote:
> On Sun, Mar 29, 2015 at 03:30:07PM -0400, Rich Freeman wrote
> 
> > With TPM, full-disk encryption, and a verified boot path, you could
> > actually protect against that scenario (they'd have to tear apart the
> > TPM chip and try to access the non-volatile storage directly, and the
> > chips are specifically designed to defeat this).  Secure boot would
> > not hurt either (with your own keys).  Of course, they could still try
> > to hack in via USB/PCI/etc, or plant keyloggers and such.  I'm not
> > suggesting physical security isn't important.  It just isn't a good
> > reason to completely neglect console security.
> 
>   Be careful what you wish for.  I have my doubts that TPM chips would
> boot linux with Microsoft offering "volume discounts" to OEMS.  Call me
> cynical.

Well, yes, post Snowden revelations we can reasonably suspect that the TPM 
OEMs have degraded the randomness of the chip sufficiently for spooks to be 
able to crack your keys.

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 473 bytes --]

Re: [gentoo-user] How to poweroff the system from user?

[lee]

"Walter Dnes" <waltdnes@waltdnes.org> writes:

> On Sun, Mar 29, 2015 at 12:43:12PM +0200, lee wrote
>
>> That leaves the question why a user who isn't even logged in should
>> be able to reboot, which IIRC they can by default with Ctrl+Alt+Del.
>> Such users shouldn't be allowed to do anything but to log in.
>
>   As the old saying goes... "If you don't have physical security, you
> don't have any security".  A malicious person at the physical keyboard
> of the machine could just as easily yank the power cord of out of the
> wall, insert a USB key into the machine, plug the machine back in, boot
> up from the USB key, and copy over malicious binaries.

It's not logical to provide ppl who want to copy over malicious binaries
with an easy way to reboot the machine in order to do so.


-- 
Again we must be afraid of speaking of daemons for fear that daemons
might swallow us.  Finally, this fear has become reasonable.

Re: [gentoo-user] How to poweroff the system from user?

[Fernando Rodriguez]

On Saturday, March 21, 2015 4:58:42 PM German wrote:
> On Sat, 21 Mar 2015 16:32:25 -0400
> Philip Webb <purslow@ca.inter.net> wrote:
> 
> > 150321 German wrote:
> > > If I run poweroff from root, the system shuts down.
> > > When I run poweroff from user -- command not found.
> > > How to shut down the system from user ?
> > 
> > I'ld say "Don't" : it's contrary to the principles of Unix,
> > which separate the roles of sysadmin (root) from those of ordinary users.
> > 
> > To shut down, I first exit Fluxbox via its menu,
> > then 'su' + root password, then alias 'down' = 'shutdown -h now'.
> > That observes the proper roles + ceremonies (smile).
> 
> Interesting. But as I said ealier, I can reboot the system when I am a user 
by Ctrl+Alt+Delete. The user can reboot the system, but can't shut down? 
Strange
> > 

Either /sbin/poweroff or /usr/sbin/poweroff will do it from a local session (if 
there's no other users logged in locally).

Like I said, /sbin is only on the search path for root by default on gentoo.

-- 
Fernando Rodriguez

Re: [gentoo-user] How to poweroff the system from user?

[German]

On Sat, 21 Mar 2015 18:51:58 -0400
Fernando Rodriguez <frodriguez.developer@outlook.com> wrote:

> On Saturday, March 21, 2015 4:58:42 PM German wrote:
> > On Sat, 21 Mar 2015 16:32:25 -0400
> > Philip Webb <purslow@ca.inter.net> wrote:
> > 
> > > 150321 German wrote:
> > > > If I run poweroff from root, the system shuts down.
> > > > When I run poweroff from user -- command not found.
> > > > How to shut down the system from user ?
> > > 
> > > I'ld say "Don't" : it's contrary to the principles of Unix,
> > > which separate the roles of sysadmin (root) from those of ordinary users.
> > > 
> > > To shut down, I first exit Fluxbox via its menu,
> > > then 'su' + root password, then alias 'down' = 'shutdown -h now'.
> > > That observes the proper roles + ceremonies (smile).
> > 
> > Interesting. But as I said ealier, I can reboot the system when I am a user 
> by Ctrl+Alt+Delete. The user can reboot the system, but can't shut down? 
> Strange
> > > 
> 
> Either /sbin/poweroff or /usr/sbin/poweroff will do it from a local session (if 
> there's no other users logged in locally).

/sbin/poweroff says "Must be a superuser" :(
> 
> Like I said, /sbin is only on the search path for root by default on gentoo.
> 
> -- 
> Fernando Rodriguez
> 


-- 
German <gentgerman@gmail.com>

Re: [gentoo-user] How to poweroff the system from user?

[Matti Nykyri]

> On Mar 22, 2015, at 8:32, German <gentgerman@gmail.com> wrote:
> 
> 
> /sbin/poweroff says "Must be a superuser" :(

Did you read any of the previous messages? They told you that you have to have consolekit and polkit installed and configured for this to work! Also the use of sudo is another choice.

If you want every user to be able to shutdown just run this command:

chmod 6755 /sbin/poweroff

-- 
-Matti

Re: [gentoo-user] How to poweroff the system from user?

[German]

On Sun, 22 Mar 2015 08:49:54 +0200
Matti Nykyri <matti.nykyri@iki.fi> wrote:

> > On Mar 22, 2015, at 8:32, German <gentgerman@gmail.com> wrote:
> > 
> > 
> > /sbin/poweroff says "Must be a superuser" :(
> 
> Did you read any of the previous messages? They told you that you have to have consolekit and polkit installed and configured for this to work!

Yes, I've read them. However no one explianed how this has to be accomplished with polkit and consolekit.

 Also the use of sudo is another choice.

Sudo is just a package?
> 
> If you want every user to be able to shutdown just run this command:
> 
> chmod 6755 /sbin/poweroff
> 
> -- 
> -Matti


-- 

Re: [gentoo-user] How to poweroff the system from user?

[Alexander Kapshuk]

[-- Attachment #1: Type: text/plain, Size: 879 bytes --]

On Sun, Mar 22, 2015 at 9:06 AM, German <gentgerman@gmail.com> wrote:

> On Sun, 22 Mar 2015 08:49:54 +0200
> Matti Nykyri <matti.nykyri@iki.fi> wrote:
>
> > > On Mar 22, 2015, at 8:32, German <gentgerman@gmail.com> wrote:
> > >
> > >
> > > /sbin/poweroff says "Must be a superuser" :(
> >
> > Did you read any of the previous messages? They told you that you have
> to have consolekit and polkit installed and configured for this to work!
>
> Yes, I've read them. However no one explianed how this has to be
> accomplished with polkit and consolekit.
>
>  Also the use of sudo is another choice.
>
> Sudo is just a package?
>

Yes, it is.
qsearch sudo|sed 1q
app-admin/sudo Allows users or groups to run commands as other users


> >
> > If you want every user to be able to shutdown just run this command:
> >
> > chmod 6755 /sbin/poweroff
> >
> > --
> > -Matti
>
>
> --
>
>
>

[-- Attachment #2: Type: text/html, Size: 1678 bytes --]

Re: [gentoo-user] How to poweroff the system from user?

[Matti Nykyri]

[-- Attachment #1: Type: text/plain, Size: 1116 bytes --]

> On Mar 22, 2015, at 9:11, Alexander Kapshuk <alexander.kapshuk@gmail.com> wrote:
> 
>> On Sun, Mar 22, 2015 at 9:06 AM, German <gentgerman@gmail.com> wrote:
>> On Sun, 22 Mar 2015 08:49:54 +0200
>> Matti Nykyri <matti.nykyri@iki.fi> wrote:
>> 
>> > > On Mar 22, 2015, at 8:32, German <gentgerman@gmail.com> wrote:
>> > >
>> > >
>> > > /sbin/poweroff says "Must be a superuser" :(
>> >
>> > Did you read any of the previous messages? They told you that you have to have consolekit and polkit installed and configured for this to work!
>> 
>> Yes, I've read them. However no one explianed how this has to be accomplished with polkit and consolekit.

Read http://wiki.gentoo.org/wiki/Polkit and all the links and prerequisites (consolekit and dbus) and polkit man page.

>>  Also the use of sudo is another choice.
>> 
>> Sudo is just a package?
> 
> Yes, it is.
> qsearch sudo|sed 1q
> app-admin/sudo Allows users or groups to run commands as other users
>  
>> >
>> > If you want every user to be able to shutdown just run this command:
>> >
>> > chmod 6755 /sbin/poweroff

-- 
-Matti

[-- Attachment #2: Type: text/html, Size: 2367 bytes --]

Re: [gentoo-user] How to poweroff the system from user?

[Fernando Rodriguez]

On Sunday, March 22, 2015 3:06:59 AM German wrote:
> On Sun, 22 Mar 2015 08:49:54 +0200
> Matti Nykyri <matti.nykyri@iki.fi> wrote:
> 
> > > On Mar 22, 2015, at 8:32, German <gentgerman@gmail.com> wrote:
> > > 
> > > 
> > > /sbin/poweroff says "Must be a superuser" :(
> > 
> > Did you read any of the previous messages? They told you that you have to 
have consolekit and polkit installed and configured for this to work!
> 
> Yes, I've read them. However no one explianed how this has to be 
accomplished with polkit and consolekit.

You don't need those. It sounds like you somehow got both sysvinit and systemd 
installed. The message you're getting is from sysvinit. poweroff should be a 
symlink to systemctl. Try:

systemctl poweroff

You may need to unmerge sysvinit and anything else related to openrc and then 
re-emerge systemd. With systemd it should either shutdown or ask you for the 
root password (if you're not logged in locally or there's other users logged 
in).

-- 
Fernando Rodriguez

Re: [gentoo-user] How to poweroff the system from user?

[German]

On Sun, 22 Mar 2015 03:19:50 -0400
Fernando Rodriguez <frodriguez.developer@outlook.com> wrote:

> On Sunday, March 22, 2015 3:06:59 AM German wrote:
> > On Sun, 22 Mar 2015 08:49:54 +0200
> > Matti Nykyri <matti.nykyri@iki.fi> wrote:
> > 
> > > > On Mar 22, 2015, at 8:32, German <gentgerman@gmail.com> wrote:
> > > > 
> > > > 
> > > > /sbin/poweroff says "Must be a superuser" :(
> > > 
> > > Did you read any of the previous messages? They told you that you have to 
> have consolekit and polkit installed and configured for this to work!
> > 
> > Yes, I've read them. However no one explianed how this has to be 
> accomplished with polkit and consolekit.
> 
> You don't need those. It sounds like you somehow got both sysvinit and systemd 
> installed. The message you're getting is from sysvinit. poweroff should be a 
> symlink to systemctl. Try:
> 
> systemctl poweroff
> 
> You may need to unmerge sysvinit and anything else related to openrc and then 
> re-emerge systemd. With systemd it should either shutdown or ask you for the 
> root password (if you're not logged in locally or there's other users logged 

Thanks, I decide to go with sudo on this one. However when I try to run it, it says:
"Username is not in the sudoers file." Where is this file located and how can I add the user to it? Thanks

> in).
> 
> -- 
> Fernando Rodriguez
> 


-- 

Re: [gentoo-user] How to poweroff the system from user?

[Matti Nykyri]

> On Mar 22, 2015, at 9:30, German <gentgerman@gmail.com> wrote:
> 
> On Sun, 22 Mar 2015 03:19:50 -0400
> Fernando Rodriguez <frodriguez.developer@outlook.com> wrote:
> 
>>> On Sunday, March 22, 2015 3:06:59 AM German wrote:
>>> On Sun, 22 Mar 2015 08:49:54 +0200
>>> Matti Nykyri <matti.nykyri@iki.fi> wrote:
>>> 
>>>>> On Mar 22, 2015, at 8:32, German <gentgerman@gmail.com> wrote:
>>>>> 
>>>>> 
>>>>> /sbin/poweroff says "Must be a superuser" :(
>>>> 
>>>> Did you read any of the previous messages? They told you that you have to
>> have consolekit and polkit installed and configured for this to work!
>>> 
>>> Yes, I've read them. However no one explianed how this has to be
>> accomplished with polkit and consolekit.
>> 
>> You don't need those. It sounds like you somehow got both sysvinit and systemd 
>> installed. The message you're getting is from sysvinit. poweroff should be a 
>> symlink to systemctl. Try:
>> 
>> systemctl poweroff
>> 
>> You may need to unmerge sysvinit and anything else related to openrc and then 
>> re-emerge systemd. With systemd it should either shutdown or ask you for the 
>> root password (if you're not logged in locally or there's other users logged
> 
> Thanks, I decide to go with sudo on this one. However when I try to run it, it says:
> "Username is not in the sudoers file." Where is this file located and how can I add the user to it? Thanks

man sudo

And 

man sudoers

The file is in /etc/sudoers

-- 
-Matti

Re: [gentoo-user] How to poweroff the system from user?

[Fernando Rodriguez]

On Sunday, March 22, 2015 3:30:49 AM German wrote:
> On Sun, 22 Mar 2015 03:19:50 -0400
> Fernando Rodriguez <frodriguez.developer@outlook.com> wrote:
> 
> > On Sunday, March 22, 2015 3:06:59 AM German wrote:
> > > On Sun, 22 Mar 2015 08:49:54 +0200
> > > Matti Nykyri <matti.nykyri@iki.fi> wrote:
> > > 
> > > > > On Mar 22, 2015, at 8:32, German <gentgerman@gmail.com> wrote:
> > > > > 
> > > > > 
> > > > > /sbin/poweroff says "Must be a superuser" :(
> > > > 
> > > > Did you read any of the previous messages? They told you that you have 
to 
> > have consolekit and polkit installed and configured for this to work!
> > > 
> > > Yes, I've read them. However no one explianed how this has to be 
> > accomplished with polkit and consolekit.
> > 
> > You don't need those. It sounds like you somehow got both sysvinit and 
systemd 
> > installed. The message you're getting is from sysvinit. poweroff should be 
a 
> > symlink to systemctl. Try:
> > 
> > systemctl poweroff
> > 
> > You may need to unmerge sysvinit and anything else related to openrc and 
then 
> > re-emerge systemd. With systemd it should either shutdown or ask you for 
the 
> > root password (if you're not logged in locally or there's other users 
logged 
> 
> Thanks, I decide to go with sudo on this one. However when I try to run it, 
it says:
> "Username is not in the sudoers file." Where is this file located and how can 
I add the user to it? Thanks
> 
> > in).
> > 
> 
> 
> 

See man sudo. But the advice you're getting is for openrc (it will work until 
something else breaks), you need to remove all openrc components and install 
systemd properly.
-- 
Fernando Rodriguez

Re: [gentoo-user] How to poweroff the system from user?

[German]

On Sun, 22 Mar 2015 03:35:49 -0400
Fernando Rodriguez <frodriguez.developer@outlook.com> wrote:

> On Sunday, March 22, 2015 3:30:49 AM German wrote:
> > On Sun, 22 Mar 2015 03:19:50 -0400
> > Fernando Rodriguez <frodriguez.developer@outlook.com> wrote:
> > 
> > > On Sunday, March 22, 2015 3:06:59 AM German wrote:
> > > > On Sun, 22 Mar 2015 08:49:54 +0200
> > > > Matti Nykyri <matti.nykyri@iki.fi> wrote:
> > > > 
> > > > > > On Mar 22, 2015, at 8:32, German <gentgerman@gmail.com> wrote:
> > > > > > 
> > > > > > 
> > > > > > /sbin/poweroff says "Must be a superuser" :(
> > > > > 
> > > > > Did you read any of the previous messages? They told you that you have 
> to 
> > > have consolekit and polkit installed and configured for this to work!
> > > > 
> > > > Yes, I've read them. However no one explianed how this has to be 
> > > accomplished with polkit and consolekit.
> > > 
> > > You don't need those. It sounds like you somehow got both sysvinit and 
> systemd 
> > > installed. The message you're getting is from sysvinit. poweroff should be 
> a 
> > > symlink to systemctl. Try:
> > > 
> > > systemctl poweroff
> > > 
> > > You may need to unmerge sysvinit and anything else related to openrc and 
> then 
> > > re-emerge systemd. With systemd it should either shutdown or ask you for 
> the 
> > > root password (if you're not logged in locally or there's other users 
> logged 
> > 
> > Thanks, I decide to go with sudo on this one. However when I try to run it, 
> it says:
> > "Username is not in the sudoers file." Where is this file located and how can 
> I add the user to it? Thanks
> > 
> > > in).
> > > 
> > 
> > 
> > 
> 
> See man sudo.

It is huge and my head is spinning. A simple search on the web showed that I had just to add one line to "sudoers" file.
Now I am able to poweroff with sudo.


 But the advice you're getting is for openrc (it will work until 
> something else breaks), you need to remove all openrc components and install 
> systemd properly.

Why is openRC is installed at all if I need to remove it? 

> -- 
> Fernando Rodriguez
> 


-- 

Re: [gentoo-user] How to poweroff the system from user?

[Fernando Rodriguez]

On Sunday, March 22, 2015 3:30:49 AM German wrote:
> On Sun, 22 Mar 2015 03:19:50 -0400
> Fernando Rodriguez <frodriguez.developer@outlook.com> wrote:
> 
> > On Sunday, March 22, 2015 3:06:59 AM German wrote:
> > > On Sun, 22 Mar 2015 08:49:54 +0200
> > > Matti Nykyri <matti.nykyri@iki.fi> wrote:
> > > 
> > > > > On Mar 22, 2015, at 8:32, German <gentgerman@gmail.com> wrote:
> > > > > 
> > > > > 
> > > > > /sbin/poweroff says "Must be a superuser" :(
> > > > 
> > > > Did you read any of the previous messages? They told you that you have 
to 
> > have consolekit and polkit installed and configured for this to work!
> > > 
> > > Yes, I've read them. However no one explianed how this has to be 
> > accomplished with polkit and consolekit.
> > 
> > You don't need those. It sounds like you somehow got both sysvinit and 
systemd 
> > installed. The message you're getting is from sysvinit. poweroff should be 
a 
> > symlink to systemctl. Try:
> > 
> > systemctl poweroff
> > 
> > You may need to unmerge sysvinit and anything else related to openrc and 
then 
> > re-emerge systemd. With systemd it should either shutdown or ask you for 
the 
> > root password (if you're not logged in locally or there's other users 
logged 
> 
> Thanks, I decide to go with sudo on this one. However when I try to run it, 
it says:
> "Username is not in the sudoers file." Where is this file located and how can 
I add the user to it? Thanks
> 
> > in).

Actually you never said anything about systemd so it's my bad.
They where talking about logind and I got it messed up with another thread 
about systemd.

-- 
Fernando Rodriguez

Re: [gentoo-user] How to poweroff the system from user?

[German]

On Sun, 22 Mar 2015 03:47:13 -0400
Fernando Rodriguez <frodriguez.developer@outlook.com> wrote:

> On Sunday, March 22, 2015 3:30:49 AM German wrote:
> > On Sun, 22 Mar 2015 03:19:50 -0400
> > Fernando Rodriguez <frodriguez.developer@outlook.com> wrote:
> > 
> > > On Sunday, March 22, 2015 3:06:59 AM German wrote:
> > > > On Sun, 22 Mar 2015 08:49:54 +0200
> > > > Matti Nykyri <matti.nykyri@iki.fi> wrote:
> > > > 
> > > > > > On Mar 22, 2015, at 8:32, German <gentgerman@gmail.com> wrote:
> > > > > > 
> > > > > > 
> > > > > > /sbin/poweroff says "Must be a superuser" :(
> > > > > 
> > > > > Did you read any of the previous messages? They told you that you have 
> to 
> > > have consolekit and polkit installed and configured for this to work!
> > > > 
> > > > Yes, I've read them. However no one explianed how this has to be 
> > > accomplished with polkit and consolekit.
> > > 
> > > You don't need those. It sounds like you somehow got both sysvinit and 
> systemd 
> > > installed. The message you're getting is from sysvinit. poweroff should be 
> a 
> > > symlink to systemctl. Try:
> > > 
> > > systemctl poweroff
> > > 
> > > You may need to unmerge sysvinit and anything else related to openrc and 
> then 
> > > re-emerge systemd. With systemd it should either shutdown or ask you for 
> the 
> > > root password (if you're not logged in locally or there's other users 
> logged 
> > 
> > Thanks, I decide to go with sudo on this one. However when I try to run it, 
> it says:
> > "Username is not in the sudoers file." Where is this file located and how can 
> I add the user to it? Thanks
> > 
> > > in).
> 
> Actually you never said anything about systemd so it's my bad.
> They where talking about logind and I got it messed up with another thread 
> about systemd.
> 

No problem. I guess that's what happening when you try to help everyone.
> -- 
> Fernando Rodriguez
> 


-- 

Re: [gentoo-user] How to poweroff the system from user?

[Walter Dnes]

On Sun, Mar 22, 2015 at 03:30:49AM -0400, German wrote

> Thanks, I decide to go with sudo on this one. However when I try
> to run it, it says: "Username is not in the sudoers file." Where is
> this file located and how can I add the user to it? Thanks

  Here's how it works.  "emerge -pv sudo" and decide whic USE flags you
need for your situation.  I use none of them.  The main config file is
/etc/sudoers  *DO NOT TOUCH THAT FILE*.  It'll get overwritten every
time that an update of sudo comes along.  sudo also reads files in its
"include directory", which defaults to /etc/sudoers.d/ which is where
you should put your stuff.  You can have multiple files in there, and
they will be executed in the same order that they sort.  *DO NOT EDIT
THESE FILES DIRECTLY WITH NANO/VIM/WHATEVER*.  Use the command...

visudo -f /etc/sudoers.d/filename

where "filename" is any legal file name.  visudo is a sudo feature that
* gets your default editor
* edits a *WORKING COPY* of the file you want to change
* after you exit the editor, it tests the file syntax
* if no sudo syntax errors are found it commits the file
* if syntax errors are found, it warns you, and allows you to back out

  I have a single file /etc/sudoers.d/001 but you can have several files
if you want.  The desktop's hostname is "d531" and my login is
"waltdnes".  Adjust correspondingly for your system...

waltdnes  d531 = (root) NOPASSWD: /sbin/poweroff
waltdnes  d531 = (root) NOPASSWD: /usr/sbin/hibernate
waltdnes  d531 = (root) NOPASSWD: /usr/bin/simple-mtpfs -o allow_other /home/waltdnes/tablet
waltdnes  d531 = (root) NOPASSWD: /usr/bin/fusermount -u /home/waltdnes/tablet
waltdnes  d531 = (root) NOPASSWD: /bin/cp -f /etc/ssmtp/295.ssmtp.conf /etc/ssmtp/ssmtp.conf
waltdnes  d531 = (root) NOPASSWD: /bin/cp -f /etc/ssmtp/teksavvy.ssmtp.conf /etc/ssmtp/ssmtp.conf
waltdnes  d531 = (root) NOPASSWD: /usr/bin/openrdate -n -s ca.pool.ntp.org
waltdnes  d531 = (root) NOPASSWD: /sbin/hwclock --systohc


  This format allows the user to run the command, if preceeded by
"sudo", and no password is required.  Note that the command must be
identical to what is set in /etc/sudoers.d/ e.g.

sudo /sbin/poweroff

  I usually launch it from a script in ~/bin to same a lot of typing,
and avoid typo errors.  For instance, to connect my tablet or smartphone
to directory ~/tablet, I have a script ~/bin/tabon

#!/bin/bash
sudo simple-mtpfs -o allow_other /home/waltdnes/tablet

  To disconnect from the device I have a script ~/bin/taboff

#!/bin/bash
sudo fusermount -u /home/waltdnes/tablet

  To sync my desktop's clock, I have a script ~/bin/settime

#!/bin/bash
date
/usr/bin/sudo /usr/bin/openrdate -n -s ca.pool.ntp.org
/usr/bin/sudo /sbin/hwclock --systohc
date

  I have a dialup ISP (295.ca) as emergency backup in case my broadband
ISP (teksavvy.com) service goes down.  ISP's only let logged in users
connect to the standard outbound port.  So I need to change the
/etc/ssmtp/ssmtp.conf file to point to the approprite ISP's server.  My
dialup script is...

#!/bin/bash
sudo /bin/cp -f /etc/ssmtp/295.ssmtp.conf /etc/ssmtp/ssmtp.conf
sudo /usr/sbin/pon u295.ca

  My "dialdown" script is...

#!/bin/bash
/usr/bin/sudo /usr/sbin/poff
/usr/bin/sudo /bin/cp -f /etc/ssmtp/teksavvy.ssmtp.conf /etc/ssmtp/ssmtp.conf



-- 
Walter Dnes <waltdnes@waltdnes.org>
I don't run "desktop environments"; I run useful applications

Re: [gentoo-user] How to poweroff the system from user?

[Fernando Rodriguez]

[-- Attachment #1: Type: text/plain, Size: 970 bytes --]

On Sunday, March 22, 2015 3:06:59 AM German wrote:
> On Sun, 22 Mar 2015 08:49:54 +0200
> Matti Nykyri <matti.nykyri@iki.fi> wrote:
> 
> > > On Mar 22, 2015, at 8:32, German <gentgerman@gmail.com> wrote:
> > > 
> > > 
> > > /sbin/poweroff says "Must be a superuser" :(
> > 
> > Did you read any of the previous messages? They told you that you have to 
have consolekit and polkit installed and configured for this to work!
> 
> Yes, I've read them. However no one explianed how this has to be 
accomplished with polkit and consolekit.

Actually systemd's poweroff should be on /usr/bin or /bin but if you got it 
there you shouldn't have got the command not found error so something is 
messed up with your system. Post the output to the folling

ls -l /usr/bin/poweroff
ls -l /bin/poweroff
ls -l /sbin/poweroff
ls -l /usr/sbin/poweroff

Only one of them should list something and it should be a symlink to 
systemctl.

-- 
Fernando Rodriguez

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: [gentoo-user] How to poweroff the system from user?

[Matti Nykyri]

> On Mar 22, 2015, at 9:31, Fernando Rodriguez <frodriguez.developer@outlook.com> wrote:
> 
>> On Sunday, March 22, 2015 3:06:59 AM German wrote:
>> On Sun, 22 Mar 2015 08:49:54 +0200
>> Matti Nykyri <matti.nykyri@iki.fi> wrote:
>> 
>>>> On Mar 22, 2015, at 8:32, German <gentgerman@gmail.com> wrote:
>>>> 
>>>> 
>>>> /sbin/poweroff says "Must be a superuser" :(
>>> 
>>> Did you read any of the previous messages? They told you that you have to
> have consolekit and polkit installed and configured for this to work!
>> 
>> Yes, I've read them. However no one explianed how this has to be
> accomplished with polkit and consolekit.
> 
> Actually systemd's poweroff should be on /usr/bin or /bin but if you got it 
> there you shouldn't have got the command not found error so something is 
> messed up with your system. Post the output to the folling
> 
> ls -l /usr/bin/poweroff
> ls -l /bin/poweroff
> ls -l /sbin/poweroff
> ls -l /usr/sbin/poweroff
> 
> Only one of them should list something and it should be a symlink to 
> systemctl.

From previous messages by the OP I recall that he is using OpenRC.

-- 
-Matti

Re: [gentoo-user] How to poweroff the system from user?

[Fernando Rodriguez]

On Sunday, March 22, 2015 9:35:46 AM Matti Nykyri wrote:
> > On Mar 22, 2015, at 9:31, Fernando Rodriguez 
<frodriguez.developer@outlook.com> wrote:
> > 
> >> On Sunday, March 22, 2015 3:06:59 AM German wrote:
> >> On Sun, 22 Mar 2015 08:49:54 +0200
> >> Matti Nykyri <matti.nykyri@iki.fi> wrote:
> >> 
> >>>> On Mar 22, 2015, at 8:32, German <gentgerman@gmail.com> wrote:
> >>>> 
> >>>> 
> >>>> /sbin/poweroff says "Must be a superuser" :(
> >>> 
> >>> Did you read any of the previous messages? They told you that you have 
to
> > have consolekit and polkit installed and configured for this to work!
> >> 
> >> Yes, I've read them. However no one explianed how this has to be
> > accomplished with polkit and consolekit.
> > 
> > Actually systemd's poweroff should be on /usr/bin or /bin but if you got it 
> > there you shouldn't have got the command not found error so something is 
> > messed up with your system. Post the output to the folling
> > 
> > ls -l /usr/bin/poweroff
> > ls -l /bin/poweroff
> > ls -l /sbin/poweroff
> > ls -l /usr/sbin/poweroff
> > 
> > Only one of them should list something and it should be a symlink to 
> > systemctl.
> 
> From previous messages by the OP I recall that he is using OpenRC.

Yea, I'm fucking up. I read the systemd before this one and got them mixed 
up...sorry

-- 
Fernando Rodriguez

Re: [gentoo-user] How to poweroff the system from user?

[German]

On Sun, 22 Mar 2015 09:35:46 +0200
Matti Nykyri <matti.nykyri@iki.fi> wrote:

> > On Mar 22, 2015, at 9:31, Fernando Rodriguez <frodriguez.developer@outlook.com> wrote:
> > 
> >> On Sunday, March 22, 2015 3:06:59 AM German wrote:
> >> On Sun, 22 Mar 2015 08:49:54 +0200
> >> Matti Nykyri <matti.nykyri@iki.fi> wrote:
> >> 
> >>>> On Mar 22, 2015, at 8:32, German <gentgerman@gmail.com> wrote:
> >>>> 
> >>>> 
> >>>> /sbin/poweroff says "Must be a superuser" :(
> >>> 
> >>> Did you read any of the previous messages? They told you that you have to
> > have consolekit and polkit installed and configured for this to work!
> >> 
> >> Yes, I've read them. However no one explianed how this has to be
> > accomplished with polkit and consolekit.
> > 
> > Actually systemd's poweroff should be on /usr/bin or /bin but if you got it 
> > there you shouldn't have got the command not found error so something is 
> > messed up with your system. Post the output to the folling
> > 
> > ls -l /usr/bin/poweroff
> > ls -l /bin/poweroff
> > ls -l /sbin/poweroff
> > ls -l /usr/sbin/poweroff
> > 
> > Only one of them should list something and it should be a symlink to 
> > systemctl.
> 
> From previous messages by the OP I recall that he is using OpenRC.

Yes, as from fresh gentoo install.
> 
> -- 
> -Matti


-- 

Re: [gentoo-user] How to poweroff the system from user?

[microcai]

on Sunday 22 March 2015 02:32:00，German wrote：
> On Sat, 21 Mar 2015 18:51:58 -0400
> 
> Fernando Rodriguez <frodriguez.developer@outlook.com> wrote:
> > On Saturday, March 21, 2015 4:58:42 PM German wrote:
> > > On Sat, 21 Mar 2015 16:32:25 -0400
> > > 
> > > Philip Webb <purslow@ca.inter.net> wrote:
> > > > 150321 German wrote:
> > > > > If I run poweroff from root, the system shuts down.
> > > > > When I run poweroff from user -- command not found.
> > > > > How to shut down the system from user ?
> > > > 
> > > > I'ld say "Don't" : it's contrary to the principles of Unix,
> > > > which separate the roles of sysadmin (root) from those of ordinary
> > > > users.
> > > > 
> > > > To shut down, I first exit Fluxbox via its menu,
> > > > then 'su' + root password, then alias 'down' = 'shutdown -h now'.
> > > > That observes the proper roles + ceremonies (smile).
> > > 
> > > Interesting. But as I said ealier, I can reboot the system when I am a
> > > user
> > 
> > by Ctrl+Alt+Delete. The user can reboot the system, but can't shut down?
> > Strange
> > 
> > 
> > Either /sbin/poweroff or /usr/sbin/poweroff will do it from a local
> > session (if there's no other users logged in locally).
> 
> /sbin/poweroff says "Must be a superuser" :(

then it's high time for you to trash away sysvint and openrc, and try 
systemd!!! 

> > Like I said, /sbin is only on the search path for root by default on
> > gentoo.

Re: [gentoo-user] How to poweroff the system from user?

[Tom H]

On Wed, Mar 25, 2015 at 8:53 PM, microcai <microcai@fedoraproject.org> wrote:
> on Sunday 22 March 2015 02:32:00，German wrote：
>>
>> /sbin/poweroff says "Must be a superuser" :(
>
> then it's high time for you to trash away sysvint and openrc, and try
> systemd!!!

I doubt that Fedora developers and users would be happy to know that
you're trolling with a Fedora email address.

Anyway, logind+polkit are the reason that systemd allows a user at the
console to shutdown a system. Run "pkaction --verbose --action-id
org.freedesktop.login1.power-off" to see why.

The same can be set up with consolekit+polkit when booting with sysv+openrc.

[gentoo-user] Re: How to poweroff the system from user?

[Nikos Chantziaras]

On 21/03/15 21:26, German wrote:
> If I run poweroff from root, the system shuts down, however when I run poweroff from user -- command not found. How to shut down the system from user? Thanks

If you have dbus running (KDE, Gnome and others automatically use it), 
then you can shut down with something like:


dbus-send --system --print-reply --dest="org.freedesktop.ConsoleKit" 
/org/freedesktop/ConsoleKit/Manager org.freedesktop.ConsoleKit.Manager.Stop


You can make the above a script and save it in /usr/local/bin/dbus-halt 
(or whatever.)

Some more scripts:

https://bbs.archlinux.org/viewtopic.php?id=127962

Re: [gentoo-user] How to poweroff the system from user?

[wabenbau]

German <gentgerman@gmail.com> wrote:

> If I run poweroff from root, the system shuts down, however when I
> run poweroff from user -- command not found. How to shut down the
> system from user? Thanks

I modified a line in /etc/inittab so that I can shutdown my system
as user with Ctrl+Alt+Del:

# What to do at the "Three Finger Salute".
ca:12345:ctrlaltdel:/sbin/shutdown -h now

It works even without systemd. ;-)

--
Regards
wabe

[gentoo-user] Re: How to poweroff the system from user?

[Hans]

On 22/03/15 05:26, German wrote:
> If I run poweroff from root, the system shuts down, however when I run poweroff from user -- command not found. How to shut down the system from user? Thanks
>
If nothing works, I use the big red switch at the front of my box to 
poweroff.

Re: [gentoo-user] Re: How to poweroff the system from user?

[Francisco Ares]

[-- Attachment #1: Type: text/plain, Size: 634 bytes --]

2015-03-26 13:13 GMT-03:00 Hans <linux@interworld.net.au>:

> On 22/03/15 05:26, German wrote:
>
>> If I run poweroff from root, the system shuts down, however when I run
>> poweroff from user -- command not found. How to shut down the system from
>> user? Thanks
>>
>>  If nothing works, I use the big red switch at the front of my box to
> poweroff.
>
>
>
I don't know if this has been already answered:

edit /etc/sudoers to include a line like the one bellow:


your_user_name
 ALL=NOPASSWD:/sbin/halt,NOPASSWD:/sbin/reboot,NOPASSWD:/sbin/poweroff,


Then log off and log in again, and it should work.

Hope this helps,
Francisco

[-- Attachment #2: Type: text/html, Size: 1577 bytes --]

Re: [gentoo-user] Re: How to poweroff the system from user?

[Emanuele Rusconi]

[-- Attachment #1: Type: text/plain, Size: 579 bytes --]

On 26 March 2015 at 17:28, Francisco Ares <frares@gmail.com> wrote:

>
>
> edit /etc/sudoers to include a line like the one bellow:
>
>
> your_user_name
>  ALL=NOPASSWD:/sbin/halt,NOPASSWD:/sbin/reboot,NOPASSWD:/sbin/poweroff,
>
>
> Then log off and log in again, and it should work.
>
> Hope this helps,
> Francisco
>

Yeah, lots of ways to do it, there's no need of systemd.
Or do people think that Linux users haven't been able to shut down or
reboot their computers for the past 30 years? :D
Oh, wait, maybe THAT's the reason for the long uptimes. :D :D

-- Emanuele Rusconi

[-- Attachment #2: Type: text/html, Size: 1433 bytes --]