Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

restrict user privileges [SOLVED]

Linux Kernel, Network, and Services configuration.
Post Reply
Message
Author
tomjtoth
Posts: 6
Joined: 2012-09-30 11:17

restrict user privileges [SOLVED]

#1 Post by tomjtoth »

Hi there,

I installed 6.0.something wheezy, and i want to create a guest user without the privilege to shutdown/reboot my computer.
(I left Arch, because they overcomplicated their latest install media, and now I can't even install the basic system, BUT the best thing about Arch is that it had a very detailed wiki.)
Now I've been searching everywhere, but I couldn't find any solutions, so I'd really appreciate if you helped me out.

Thanks!
Tom
Last edited by tomjtoth on 2012-10-02 17:54, edited 1 time in total.

User avatar
dasein
Posts: 7680
Joined: 2011-03-04 01:06
Location: Terra Incantationum

Re: restrict user privileges

#2 Post by dasein »

This question is not nearly as straightforward as you imagine.

One imagines that you're asking about restricting shutdown from within a GUI, but the specifics actually vary by which GUI and which login manager you're using. So, to have any hope of getting a decent answer, you'll need to provide that additional information.

One quick-and-dirty solution may be to install SLiM as a display (login) manager. It's been quite some time since I used SLiM, but my best recollection is that it only allows restart from the actual login screen, and by default requires a root password to do it.

But before you spend a lot of time chasing this question, remind yourself that anyone who has physical access to a(ny) machine can always forcibly do a shutdown or restart. Maybe it's time to re-examine your underlying goals.

User avatar
craigevil
Posts: 5391
Joined: 2006-09-17 03:17
Location: heaven
Has thanked: 28 times
Been thanked: 39 times

Re: restrict user privileges

#3 Post by craigevil »

Just make sure the guest account is not in the powerdev or sudo groups

Gnome and KDE also have settings that will most likely need to be set.

Autologin, passwordless login and controlling who can reboot and shutdown your computer in KDE - http://www.linuxbsdos.com/2012/02/16/au ... er-in-kde/
Raspberry PI 400 Distro: Raspberry Pi OS Base: Debian Sid Kernel: 5.15.69-v8+ aarch64 DE: MATE Ram 4GB
Debian - "If you can't apt install something, it isn't useful or doesn't exist"
My Giant Sources.list

tomjtoth
Posts: 6
Joined: 2012-09-30 11:17

Re: restrict user privileges

#4 Post by tomjtoth »

i have slim+xfce, and im interested in a console-way solution
im aware of the reboot/poweroff "account"+root pw, but that has nothing to do with my problem.

my /etc/group file looks like this:

Code: Select all

root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:
fax:x:21:
voice:x:22:
cdrom:x:24:
floppy:x:25:
tape:x:26:
sudo:x:27:
audio:x:29:
dip:x:30:
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:
sasl:x:45:
plugdev:x:46:
staff:x:50:
games:x:60:
users:x:100:
nogroup:x:65534:
libuuid:x:101:
crontab:x:102:
avahi-autoipd:x:103:
scanner:x:104:saned
messagebus:x:105:
colord:x:106:
lpadmin:x:107:
ssl-cert:x:108:
Debian-exim:x:109:
mlocate:x:110:
ssh:x:111:
avahi:x:112:
netdev:x:113:guest,test
bluetooth:x:114:
saned:x:115:
test:x:1000:
fuse:x:116:
guest:x:1001:
utempter:x:117:
this makes me think that my 2 users 'test' and 'guest' are only in their own and 'netdev' group
and when i check the groups 'guest' is in i get

Code: Select all

test@1001px-d:~$ groups guest
guest : guest netdev
test@1001px-d:~$ 
I haven't seen powerdev a group

User avatar
nadir
Posts: 5961
Joined: 2009-10-05 22:06
Location: away

Re: restrict user privileges

#5 Post by nadir »

I am using xfce4 without a display/login manager, and my users can't reboot or shutdown the computer.
But they have to go through the hell of typing startx after logging in (Looks like everything comes at a price)
"I am not fine with it, so there is nothing for me to do but stand aside." M.D.

tomjtoth
Posts: 6
Joined: 2012-09-30 11:17

Re: restrict user privileges

#6 Post by tomjtoth »

nadir wrote:I am using xfce4 without a display/login manager, and my users can't reboot or shutdown the computer.
But they have to go through the hell of typing startx after logging in (Looks like everything comes at a price)
not even from console?

adenukolnis
Posts: 459
Joined: 2012-02-24 18:36

Re: restrict user privileges

#7 Post by adenukolnis »

Code: Select all

user@debian:~$ reboot
bash: reboot: command not found
user@debian:~$ shutdown
bash: shutdown: command not found
user@debian:~$ halt
bash: halt: command not found
A regular user can reboot from a tty with a 3 finger salute but you should be able to disable that in the /etc/inittab file.

Instead of the user needing to type startx you can just set it up so that X is automatically started at login. If you wanted to do that.

User avatar
dasein
Posts: 7680
Joined: 2011-03-04 01:06
Location: Terra Incantationum

Re: restrict user privileges

#8 Post by dasein »

I'll say it again. Anyone with physical access to the machine can shut it down. Trying to prevent a software-based shutdown/reboot is a classic case of solving the "wrong problem."

tomjtoth
Posts: 6
Joined: 2012-09-30 11:17

Re: restrict user privileges

#9 Post by tomjtoth »

adenukolnis wrote:

Code: Select all

user@debian:~$ reboot
bash: reboot: command not found
user@debian:~$ shutdown
bash: shutdown: command not found
user@debian:~$ halt
bash: halt: command not found
A regular user can reboot from a tty with a 3 finger salute but you should be able to disable that in the /etc/inittab file.

Instead of the user needing to type startx you can just set it up so that X is automatically started at login. If you wanted to do that.
I see, so basicly the slim/xfce-session gives the normal users the privilege to shutdown/reboot.
I won't remove slim, because a guest user (windows/mac user) wouldnt be able to fire up my computer, but i hid some entries in the xfce menu so they'll be les probable to mess it up.

tomjtoth
Posts: 6
Joined: 2012-09-30 11:17

Re: restrict user privileges

#10 Post by tomjtoth »

dasein wrote:I'll say it again. Anyone with physical access to the machine can shut it down. Trying to prevent a software-based shutdown/reboot is a classic case of solving the "wrong problem."
well I'm not trying to create a super-secure dumbass-proof computer. My only point was to prevent them from shutting it down, or rebooting it.
Now i see i was wrong, and a user doesnt have the privilege to do that by default, xfce/slim gives them the right to do that, so i hid these options in the xfce menu, thus making my problem solved.

tomjtoth
Posts: 6
Joined: 2012-09-30 11:17

Re: restrict user privileges

#11 Post by tomjtoth »

how do i mark it solved?

User avatar
4D696B65
Site admin
Site admin
Posts: 2696
Joined: 2009-06-28 06:09
Been thanked: 85 times

Re: restrict user privileges

#12 Post by 4D696B65 »

tomjtoth wrote:how do i mark it solved?
Edit the topic line in your first post and add [SOLVED]

User avatar
nadir
Posts: 5961
Joined: 2009-10-05 22:06
Location: away

Re: restrict user privileges

#13 Post by nadir »

tomjtoth wrote: I won't remove slim, because a guest user (windows/mac user) wouldnt be able to fire up my computer
Like said: What he or she will have to learn in addition to type a username and a password is to write "startx" and hit enter.
I would say it is do-able.

But sure: i see your point (it will lead to questions and confusion and so on ... Rather a workaround than a proper solution)
"I am not fine with it, so there is nothing for me to do but stand aside." M.D.

Post Reply