public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-user] How to set-up "shutdown-only" user?
@ 2012-12-03 20:36 Jarry
  2012-12-03 21:15 ` Randy Barlow
                   ` (3 more replies)
  0 siblings, 4 replies; 6+ messages in thread
From: Jarry @ 2012-12-03 20:36 UTC (permalink / raw
  To: gentoo-user

Hi Gentoo-users,

I'm facing this problem: I *have to* allow one non-root user
to shutdown my server remotely (ssh). I know I could create
account for him and add his login into /etc/shutdown.allow but
I do not want to grant him full shell access.

I thought about adding "/sbin/shutdown -a h now" as his shell
into /etc/passwd so that right after he authenticates himself,
shutdown is called. But I'm not sure something like this is
possible (shutdown must be probably called from shel)...

Or is there maybe some other way how to create very restricted
account where user could not do anything else but call shutdown?

Jarry
-- 
_______________________________________________________________
This mailbox accepts e-mails only from selected mailing-lists!
Everything else is considered to be spam and therefore deleted.


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [gentoo-user] How to set-up "shutdown-only" user?
  2012-12-03 20:36 [gentoo-user] How to set-up "shutdown-only" user? Jarry
@ 2012-12-03 21:15 ` Randy Barlow
  2012-12-03 21:30   ` Randy Barlow
  2012-12-03 21:39 ` Alan McKinnon
                   ` (2 subsequent siblings)
  3 siblings, 1 reply; 6+ messages in thread
From: Randy Barlow @ 2012-12-03 21:15 UTC (permalink / raw
  To: gentoo-user

Jarry wrote:
> I'm facing this problem: I *have to* allow one non-root user
> to shutdown my server remotely (ssh). I know I could create
> account for him and add his login into /etc/shutdown.allow but
> I do not want to grant him full shell access.
>
> I thought about adding "/sbin/shutdown -a h now" as his shell
> into /etc/passwd so that right after he authenticates himself,
> shutdown is called. But I'm not sure something like this is
> possible (shutdown must be probably called from shel)...
>
> Or is there maybe some other way how to create very restricted
> account where user could not do anything else but call shutdown?

Could you create a simple webapp that requires authentication and has a 
big Shutdown button? Something like that would be fairly easy to make 
with Django, or something simpler like Pylons.

-- 
R


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [gentoo-user] How to set-up "shutdown-only" user?
  2012-12-03 21:15 ` Randy Barlow
@ 2012-12-03 21:30   ` Randy Barlow
  0 siblings, 0 replies; 6+ messages in thread
From: Randy Barlow @ 2012-12-03 21:30 UTC (permalink / raw
  To: gentoo-user

Randy Barlow wrote:
> Could you create a simple webapp that requires authentication and has a
> big Shutdown button? Something like that would be fairly easy to make
> with Django, or something simpler like Pylons.

Alternatively, you could write your own shell that only has the shutdown 
command and make that their login shell…

-- 
R


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [gentoo-user] How to set-up "shutdown-only" user?
  2012-12-03 20:36 [gentoo-user] How to set-up "shutdown-only" user? Jarry
  2012-12-03 21:15 ` Randy Barlow
@ 2012-12-03 21:39 ` Alan McKinnon
  2012-12-03 22:40 ` [gentoo-user] " Remy Blank
  2012-12-04  0:15 ` [gentoo-user] " yegle
  3 siblings, 0 replies; 6+ messages in thread
From: Alan McKinnon @ 2012-12-03 21:39 UTC (permalink / raw
  To: gentoo-user

On Mon, 03 Dec 2012 21:36:01 +0100
Jarry <mr.jarry@gmail.com> wrote:

> Hi Gentoo-users,
> 
> I'm facing this problem: I *have to* allow one non-root user
> to shutdown my server remotely (ssh). I know I could create
> account for him and add his login into /etc/shutdown.allow but
> I do not want to grant him full shell access.
> 
> I thought about adding "/sbin/shutdown -a h now" as his shell
> into /etc/passwd so that right after he authenticates himself,
> shutdown is called. But I'm not sure something like this is
> possible (shutdown must be probably called from shel)...
> 
> Or is there maybe some other way how to create very restricted
> account where user could not do anything else but call shutdown?
> 
> Jarry


pdmenu

it's an ncurses menu-driven shell thingy, and you create one menu with
one command "shutdown"

The menu items calls a wrapper script that actually runs "shutdown &&
logout" so that his session isn't left hanging in mid air. We use
pdmenu extensively for the not-so-clever first line support folk and it
works well. From Windows they use PuTTY and all they see is a menu.


-- 
Alan McKinnon
alan.mckinnon@gmail.com



^ permalink raw reply	[flat|nested] 6+ messages in thread

* [gentoo-user] Re: How to set-up "shutdown-only" user?
  2012-12-03 20:36 [gentoo-user] How to set-up "shutdown-only" user? Jarry
  2012-12-03 21:15 ` Randy Barlow
  2012-12-03 21:39 ` Alan McKinnon
@ 2012-12-03 22:40 ` Remy Blank
  2012-12-04  0:15 ` [gentoo-user] " yegle
  3 siblings, 0 replies; 6+ messages in thread
From: Remy Blank @ 2012-12-03 22:40 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: text/plain, Size: 633 bytes --]

Jarry wrote:
> Or is there maybe some other way how to create very restricted
> account where user could not do anything else but call shutdown?

 - Create a local account for the user.
 - Disable local login (passwd -l).
 - Set up SSH public key authentication for the account.
 - In ~/.ssh/authorized_keys2 for the account, set the following
attributes for the public key:

     command="/usr/bin/sudo shutdown -h
now",no-pty,no-port-forwarding,no-X11-forwarding

 - Set up sudoers to allow the user to run "shutdown -h now".

This should allow the user to shut down the box by simply ssh'ing into it.

-- Remy


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [gentoo-user] How to set-up "shutdown-only" user?
  2012-12-03 20:36 [gentoo-user] How to set-up "shutdown-only" user? Jarry
                   ` (2 preceding siblings ...)
  2012-12-03 22:40 ` [gentoo-user] " Remy Blank
@ 2012-12-04  0:15 ` yegle
  3 siblings, 0 replies; 6+ messages in thread
From: yegle @ 2012-12-04  0:15 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: text/plain, Size: 1146 bytes --]

git-shell is a good choice. And it's well tested.

You just set user's login shell to git-shell, then put some script or binary executable at user's $HOME/git-shell-commands/ directory. 

-- 
yegle
http://about.me/yegle


On Monday, December 3, 2012 at 3:36 PM, Jarry wrote:

> Hi Gentoo-users,
> 
> I'm facing this problem: I *have to* allow one non-root user
> to shutdown my server remotely (ssh). I know I could create
> account for him and add his login into /etc/shutdown.allow but
> I do not want to grant him full shell access.
> 
> I thought about adding "/sbin/shutdown -a h now" as his shell
> into /etc/passwd so that right after he authenticates himself,
> shutdown is called. But I'm not sure something like this is
> possible (shutdown must be probably called from shel)...
> 
> Or is there maybe some other way how to create very restricted
> account where user could not do anything else but call shutdown?
> 
> Jarry
> -- 
> _______________________________________________________________
> This mailbox accepts e-mails only from selected mailing-lists!
> Everything else is considered to be spam and therefore deleted.
> 
> 



[-- Attachment #2: Type: text/html, Size: 1979 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2012-12-04  0:17 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-12-03 20:36 [gentoo-user] How to set-up "shutdown-only" user? Jarry
2012-12-03 21:15 ` Randy Barlow
2012-12-03 21:30   ` Randy Barlow
2012-12-03 21:39 ` Alan McKinnon
2012-12-03 22:40 ` [gentoo-user] " Remy Blank
2012-12-04  0:15 ` [gentoo-user] " yegle

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox