When normal (non-root) users log into a computer locally, they are
given two types of special permissions:
They can run certain programs that they would not otherwise be able
to run
They can access certain files (normally special device files used to
access diskettes, CD-ROMs, and so on) that they would not otherwise
be able to access
Since there are multiple consoles on a single computer and multiple
users can be logged into the computer locally at the same time, one of
the users has to "win" the race to access the files. The first user to
log in at the console owns those files. Once the first user logs out,
the next user who logs in will own the files.
In contrast, every user who logs in at the console
will be allowed to run programs that accomplish tasks normally restricted
to the root user. If X is running, these actions can be included as menu
items in a graphical user interface. As shipped, the console-accessible
programs include halt, poweroff, and
reboot.
By default, /etc/inittab specifies that your system
is set to shutdown and reboot the system in response to a [Ctrl]-[Alt]-[Del] key combination used at the console. If you would like to
completely disable this ability, you will need to comment out the
following line in /etc/inittab by putting a hash
mark (#) in front of it:
ca::ctrlaltdel:/sbin/shutdown -t3 -r now |
Alternatively, you may just want to allow certain non-root users the
right to shutdown the system from the console using [Ctrl]-[Alt]-[Del]. You can restrict this privilege to certain users, by
taking the following steps:
Add a -a option to the
/etc/inittab line shown above, so that it
reads:
ca::ctrlaltdel:/sbin/shutdown -a -t3 -r now |
The -a flag tells shutdown to
look for the /etc/shutdown.allow file, which
you will create in the next step.
Create a file named shutdown.allow in
/etc. The
shutdown.allow file should list the usernames
of any users who are allowed to shutdown the system using
[Ctrl]-[Alt]-[Del]. The format of the
/etc/shutdown.allow file is a list of
usernames, one per line, like the following:
According to this example shutdown.allow file,
stephen, jack, and sophie are allowed to shutdown the
system from the console using [Ctrl]-[Alt]-[Del]. When that key combination is used,
the shutdown -a in
/etc/inittab checks to see if any of the users in
/etc/shutdown.allow (or root) are logged in on a
virtual console. If one of them is, the shutdown of the system will
continue; if not, an error message will be written to the system
console instead.
For more information on shutdown.allow see the
shutdown man page.
