System user cannot halt/shutdown, only regular users. PAM?

[MBantz]

Having mythtv as a system user, after the latest edition of Zen there is no su or sudo anymore and halt/shutdown is failing.

halt/shutdown is linked to consolehelper and I assume halt/shutdown is secured with PAM now.

Trying to edit halt/shutdown/poweroff in /etc/pam.d folder to only this:

#%PAM-1.0
auth    sufficient    pam_permit.so

makes no difference - I can only halt/shutdown as regular user

any ideas?

thanks
MBantz

[Neal ManBear]

Perhaps a reinstall of your shutdown package might help?     

[MBantz]

he, he, perhaps - I have heavily smashed all sorts of security on this system by now,

I'll reinstall later (thanks god for the DRBL easy PXE clone:-).

My guess is that it must be PAM related, all clues point in that direction, but a clean install sounds like a good idea,

thanks
MBantz

[Neal ManBear]

I meant the shutdown/halt-reboot program only. Perhaps pam, also.     

[MBantz]

Just did a clean install of zen, latest edition and fully updated, but the system still won't let systemuser mythtv halt the system

As ordinary user there is no problem,

I use /usr/bin/halt -p (that is linked to consolehelper) command - also tried /sbin/halt -p

any ideas?

[Neal ManBear]

Something in mythtv is preventing it, I should think. As I don't use it, I can offer nothing further.     

[MBantz]

Thanks for your suggestions Neal, much appreciated :-)

I can dismiss MythTV as the culprit, as it reads the system shutdown line in mythtv-setup (and I set this to /usr/bin/halt -p) - if it is not present, it issues it's own suggestion that is sudo /sbin/halt -p (not used as I issue own command).

Shutdown has worked just fine for the past 3-4 years with sudo - now my mythtv setup (and I guess others as well) is useless as it can't wakeup and shutdown by itself.

I have also taken a look at policykit but no results.
I tried to put the mythtv user in users group, no results. Later on I try to add the mythtv user into ALL groups (i.e. monkeying around....)


As I can find there are these security measures:

PAM (via consolehelper) - most likely the reason is here
Policykit (edited to allow all users to stop the system)
MSEC (disabled on this system for now)
basic file security user/group/world permissions

are there any more?

[Neal ManBear]

Root group, maybe?     

[daniel]

I'm not sure for what you need it, but maybe this is a solution

Shutdown

Code: [Select]

dbus-send --system --print-reply --dest=org.freedesktop.ConsoleKit /org/freedesktop/ConsoleKit/Manager org.freedesktop.ConsoleKit.Manager.Stop
 

[melodie]

I'm not sure for what you need it, but maybe this is a solution

Shutdown

Code: [Select]

dbus-send --system --print-reply --dest=org.freedesktop.ConsoleKit /org/freedesktop/ConsoleKit/Manager org.freedesktop.ConsoleKit.Manager.Stop
 

Hi,

This is an idea, but other possibilities, closer to the Gnome desktop are possible.

MBantz,  you might want to vote for this package request I posted.

You might want to consider adding "/sbin/halt;" at the beginning of the shutdown command lines in GDM. You now will wonder why and how that can be related ? And maybe how to do that ? ^^

How that can be related
Here are the different commands:

$ ls -l /usr/bin/shutdown
lrwxrwxrwx 1 root root 13 avril 30  2010 /usr/bin/shutdown -> consolehelper*

$ ls -l /sbin/shutdown
-rwxr-xr-x 1 root root 22060 janv. 10  2010 /sbin/shutdown*

$ ls -l /usr/bin/halt
lrwxrwxrwx 1 root root 13 avril 30  2010 /usr/bin/halt -> consolehelper*

$ ls -l /sbin/halt
-rwxr-xr-x 1 root root 13732 janv. 10  2010 /sbin/halt*


Now, see the relation between the commands and their belonging:

consolehelper is sort of a "pam stuff". What packages does consolehelper belong to ?

$ rpm -qf /usr/bin/consolehelper
usermode-consoleonly-1.102-1pclos2010

what does it do ?

$ rpm -qil usermode-consoleonly | more
Name        : usermode-consoleonly         Relocations: (not relocatable)
Version     : 1.102                             Vendor: (none)
Release     : 1pclos2010                    Build Date: lun. 09 nov. 2009
10:04:05 CET Install Date: mer. 17 févr. 2010 04:15:06 CET      Build Host:
localhost.localdomain Group       : System/Libraries              Source RPM:
usermode-1.102-1pclos2010.src.rpm Size        :
768232                           License: GPLv2+ Signature   : (none)
URL         : https://fedorahosted.org/usermode/
Summary     : Non graphical part of usermode
Description :
This package contains only the usermode stuff which doesn't require
XFree or GTK to run.
/etc/pam.d/halt
/etc/pam.d/mandriva-console-auth
/etc/pam.d/mandriva-simple-auth
/etc/pam.d/poweroff
/etc/pam.d/reboot
/etc/pam.d/simple_root_authen
/etc/security/console.apps/halt
/etc/security/console.apps/poweroff
/etc/security/console.apps/reboot
/etc/security/console.apps/simple_root_authen
/usr/bin/consolehelper
/usr/bin/halt
/usr/bin/poweroff
/usr/bin/reboot
/usr/sbin/userhelper

..........

..............

It is the non graphical... what is and what does the graphical part do ? (just curious... )

$ rpm -qf /usr/bin/consolehelper-gtk
usermode-1.102-1pclos2010

Description :
The usermode package contains several graphical tools for users:
userinfo, usermount and userpasswd. Userinfo allows users to change
their finger information. Usermount lets users mount, unmount, and
format filesystems. Userpasswd allows users to change their passwords.

Install the usermode package if you would like to provide users with
graphical tools for certain account management tasks.

Well no idea... what is it's work, invoking "/usr/bin/consolehelper-gtk" returns "impossible to
find the selected program", but this does not matter, it's just a side question.

There is this new version for usermode-consoleonly, for which I went to request an update as I said above hoping this could help some shutdown problem.

To finish with this, what differs with /sbin/halt and /sbin/shutdown ?

$ rpm -qf /sbin/halt
sysvinit-2.87-1pclos2010
$ rpm -qf /sbin/shutdown
sysvinit-2.87-1pclos2010

not the same program as "/usr/bin/shutdown" and all linked to consolehelper*...  it is "this good ol' sysvinit".

How old is it ?

$ rpm -qil sysvinit
Name        : sysvinit                     Relocations: (not relocatable)
Version     : 2.87                              Vendor: (none)
Release     : 1pclos2010                    Build Date: dim. 10 janv. 2010
02:03:04 CET
...

Is there a new version out there ? Yes, but not at the same adress as
described in the spec file:
http://download.savannah.gnu.org/releases/sysvinit

I have also suggested an update here a while ago.

To solve the problem, at the moment, it is possible to configure GDM to make it use /sbin/halt from the sysvinit package. It might help solve with the button "shutdown" from the gnome panel, but I am not sure because I don't know how this is configured, and I don't even know if it is possible to change manually the command it calls for the extinction. At minimum you could logout and shutdown from GDM

How to do that ?
In user console type:

Code: [Select]

dbus-launch gdmsetup
then you will be prompted for the root password.

in the General tab, down right click on the button "Edit commands". You will see a new window. At the beginning of the line with all the commands, add as I said above : /sbin/halt;

then click on "Apply the modifications".

I will write into the file /etc/X11/gdm/custom.conf

Here is what mine looks like actually:

[daemon]
AlwaysRestartServer=true
Browser=true
AutomaticLogin=
AutomaticLoginEnable=false


DefaultSession=openbox.desktop

HaltCommand=/sbin/halt;/usr/bin/poweroff;/sbin/poweroff;/sbin/shutdown -h now;/usr/sbin/shutdown -h now

[greeter]
Welcome=
GraphicalThemes=
DefaultWelcome=true
GraphicalTheme=pclosedu
DefaultFace=/usr/share/mdk/faces/yellow-rose.png

If you don't have "su" working correctly either, it might be because of a few bugs in the last Zen as of July. See here for more information. A new test version is available which has been announced at the tester's mailing list. Have you registered there ?

Regards,
Mélodie