Many users out there will be using KDE or Gnome for their day-to-day Linux usage, so want have any problems shutting down their PC. How-ever I recently set-up and terminal-only machine as a kinda adhoc NAS device and found there is no easy way of to shutdown or restart the computer with out using the sudo command and entering your password to become root. So this is how I got around the problem, by removing the need for the sudo password.
It may at first seem rather daft that you must become root before you can shutdown you PC, but it does make sense. Linux is designed as a multi-user system, just think of any web site you've ever visited. Many different people can be accessing the same site at the same time and that's to say nothing for the other people hosting their site on the same machine. Could you imagine the chaos that would result if any one of those users were able to turn that machine off at will? You may still be thinking "ye, but they could pull the power" but, they couldn't, the users I am referring to have no physical access to the machines in question so securing the shutdown commands in this way is still highly effective.
In my research I have come across a couple of different methods to achieving the goal of non-root shutdown. The /etc/shutdown.allow file is a common option, however it fails the 'usability' test for me as it requires a number of other steps and relies on keyboard shortcuts to be correctly configured and not intercepted by other process. Because of that I have decided to go with the sudo method as my recommended choice.
The sudo command allows a normal (non-root) user to temporarily become root for the purposes of running a command like apt-get, groupadd or shutdown. If you are a Windows user think User Access Controls, even thought sudo came first and most people will agree does a better job, you will get general idea.
Now sudo using a text file (/etc/sudoers) to decided what users are allowed to run what commands. The format of this file is very important so to make sure we get it right, amoung other things, this file should only every be edited using the visudo command.
What we are aiming for is to create a new group called, say, 'shutdown' and all users within the shutdown group will be able to turn off the PC without entering their passwords first. Another advantage to this method if you could also include the shutdown command at the end of any backup scripts you wanted to run over night. So where do we start?
In-order for user of the 'shutdown' group to turn off the machine we must create the group 'shutdown'. So run this command, prefixing it with sudo to make sure it is run as root
$ sudo groupadd shutdown
Next we need to start adding people to our new shutdown group. This command will do the job, just replace username with your username.
$ useradd -G shutdown username
Anyone you add to this group will be able to shutdown your computer, even when they're not sitting at it so be selective in your choices. The next thing we need to do is give the shutdown group permission to invoke the command for shutting down or rebooting. In Linux these command are /sbin/shutdown, /sbin/reboot or /sbin/halt so now run the visudo command and add the following lines.
$ sudo visudo%shutdown ALL=(root) NOPASSWD: /sbin/shutdown %shutdown ALL=(root) NOPASSWD: /sbin/reboot %shutdown ALL=(root) NOPASSWD: /sbin/halt
That's you done. Now anyone in the shutdown group can now run sudo shutdown as if they were root and shutdown the computer.
At this point you may have notice that users still have to prefix the shutdown command with sudo. I personally like this as it reduced the risk of typo etc.. but I know for some (or most) its still a pain, so we can remove it.
What we need to do is create a script in /usr/local/bin/shutdown which prepends the sudo command for us.
$ sudo nano -w /usr/local/bin/shutdown#!/bin/bash sudo /sbin/shutdown $*
Now just make the script executable and, for a little extra protection, change its ownership to out new shutdown group
$ sudo chgrp shutdown /usr/local/bin/shutdown
$ sudo chmod 750 /usr/local/bin/shutdown
No Comments Yet