Friday, December 19, 2008

Shock! Horror!! A delegate ate my machine!

OK, he didn't actually eat it, but he did exploit a "feature" of CentOS I was unaware of. The halt, reboot, and poweroff programs can be called from an ordinary user if that user is logged on to the console at the time. Our classroom users have very simple passwords, but the point is that these can be called from a non-root user.

I found a fix (with thanks to Mr. Google) but I'm sure there is probably a better one. Right now this will do, since it appears to work, but I'll try and find an alternative.

In /etc/security/console.apps there is a config file for the programs mentioned (and others). Set each one to something like (for example):

USER=nobody
PROGRAM=/sbin/poweroff
SESSION=true

Of course having better passswords would help...