How to use /etc/pam.d/reboot to limit "only root user on local machin

zaiwen

I am readin Miaechl Jiang's RHCE Study Guide, in Chapter 10, it talks about /etc/pam.d/reboot:

*****************************************************************
To demonstrate how control flags work, take a look at the commands from the
/etc/pam.d/reboot configuration file:

auth sufficient pam_rootok.so

The first auth command checks the pam_rootok.so module. If the root user runs thereboot command, the control_flag is sufficient, the other auth commands in this file are ignored. Linux runs the reboot command. ..

auth required pam_console.so

The second auth command is run only for nonroot users; it just governs the console parameters at the command line interface. ...

#auth required pam_stack.so service=system-auth

The third line is commented out by default. If you make this line active, it refers to the system-auth configuration file, which requires root user privileges. Remote users who know your root password are still allowed to reboot your computer.

account required pam_permit.so

The module associated with the account command (pam_permit.so) accepts all users, even those who’ve logged in remotely. In other words, this configuration file would allow any root user, local or remote, to reboot your Linux computer.

Alternatively, you might add the pam_securetty.so module, which would keep remote users from rebooting your system.

************************************************************
I tried many tests, but still can't limit only root user on LOCAL machine can reboot... Here is one example I have tried:

auth required pam_rootok.so
auth required pam_securetty.so
auth required pam_console.so
auth required pam_stack.so service=system-auth
account required pam_permit.so

Any clue?? Thanks a lot.....

yongjian

configure your securetty file, block root user from login remotely.

zaiwen

yongjian, I beg you for more details

You said:
"configure your securetty file, block root user from login remotely."

I am not sure what do you mean.

1. If there is /etc/securetty file, root can't login remotely; but you can su to root by first loging as non root file.

2. If you want to even block su to root, use /etc/pam.d/su,  uncomment this line (by default, only root is in wheel group).

# Uncomment the following line to require a user to be in the "wheel" group.
#auth       required     /lib/security/$ISA/pam_wheel.so use_uid

However,
3. What I want to do is:  
there is /etc/securetty file, root can't login remotely, but can su.
Then I don't want to root to be able to REBOOT remotely...

I know this actually sounds weird: if root can su remotely, he can then change everything

So maybe we can't block root from reboot remotely if root is allowed to login remotely (directly or su)???

yongjian

you got it, no matter what, if a user can get to root shell, he/she is able to reboot the box.

compnik

Just need to remove /etc/security/console.app/reboot

zaiwen

Thanks for the reply...

I tried to remove /etc/security/console.apps/reboot, but still doesn't work: root user, as long as he can login remotely, he can reboot remotely.

compnik

Oh , sorry
I mean that
on local machine only root can  reboot