PeteF, I saw your request for help on the freespire forums, unless I'm mistaken you're solution requires users to enter their password, and depends on them being sudoers.

I'd like to recomend you this article (http://www.debian-administration.org/articles/33) that will show you how to edit the sudoers file so that any user can use the shutdown command.

P.S. you should use halt rather than shutdown. halt is literally shutdown -h now without the ability to set up a timed shutdown, preventing users from pranking eachother. I can't imagine your users doing that either but can't hurt to use halt anyway.

If you don't want to read the article I think adding the following lines will work:

User_Alias everyone = ALL
Cmnd_Alias HALT = /sbin/halt
everyone ALL = NOPASSWD: HALT

if that dosn't work check that /sbin/halt exists, and if not find the correct path, if it still isn't working then ask me to figure it out.

Then for your shell script just have

This can easily be applied to other tasks, such as mounting ISOs

#!/bin/bash
sudo HALT

PeteF, I saw your request for help on the freespire forums, unless I'm mistaken you're solution requires users to enter their password, and depends on them being sudoers.

I'd like to recomend you this article (http://www.debian-administration.org/articles/33) that will show you how to edit the sudoers file so that any user can use the shutdown command.


Tortanick,
Thanks for the info. I saved all that.
In the post at Freespire Forum, I detailed how I use "sudo /." which
allows the non-root user to execute the shudown script. No passwords
required, it shuts right down without any user intervention.


Excerpt below from my post at..
http://forum.freespire.org/showthread.php?p=12970#post12970

4.) In the COMMAND textbox, add the "sudo /." prefix to the path and
filename. Example.. sudo /.'/home/owner/My Documents/shutdown'


I also posted the same question at the Mepis Forum and they
gave me a simpler solution. Read about it here...
http://www.mepislovers.com/forums/index.php?topic=1478.0

Bottom line, I got it working in both Mepis and Freespire
such that a SHUTDOWN desktop icon can be used to shut
off the computer by simply clicking it and walking away.

---pete---

Ah, didn't realise a SUID bit on shutdown would work. its obvious in retrospect though. It should be applicible to freespire too.

And sudo should ask for a password, unless freespire set it up to not need one by default. care to post the /etc/sudoers file? because if sudo isn't asking for a password thats a HGUE security risk. Nothing near the average M$ as you need to trick a user to execute malisous code but still bad

btw, why did you have to put /. after sudo

And sudo should ask for a password, unless freespire set it up to not need one by default. care to post the /etc/sudoers file?

btw, why did you have to put /. after sudo

I put "/." because that's what someone told me to do. :)


# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root ALL=(ALL) ALL

ALL ALL = (root) NOPASSWD: /usr/lib/cups/backend/
%admins ALL=(ALL) NOPASSWD: ALL

Tortanick. maybe you can point out to me any security
issues with the above settings. I'm still too new to understand
all what's happening here.

Is it like you said? No password required because of the
settings in the sudoers file?

PS: I had to log off my regular user account to even see the sudoers
file. I'm wondering if there is a way to get root privileges while logged
into the regular user account?

---pete---

Did you make a seprate account from the default administrator? I thought freespire only made one account by default.


As for your file:

root ALL=(ALL) ALL

means root can run any command as any user on any machine. Thats a default I *think* just leave it alone. (genrally speaking remote machines enfore restrictions on themselves, so any machine isn't really any machine)


ALL ALL = (root) NOPASSWD: /usr/lib/cups/backend/

Without useing a password any user can run anything inside /usr/lib/cups/backend/ as root. If a user can find a way to write to this file (hard to impossible assuming they havn't allready got root permission) they could do anything by writing a shell script that changes the root password. The could also trick sudo to think a diffrent folder /usr/lib/cups/backend/ but again thats hard to impossible.

Note: cups, or more accurately CUPS is Common Unix Printing System

%admins ALL=(ALL) NOPASSWD: ALL

All members of the admin group can run any command, as any user, on any machine, without a password. While acidently running a program isn't perticularly risky (why was it chmoded to be exicutible) and typeing the wrong terminal command isn't likely (must have sudo prefeix) it dose mean that if someone can remotely exicute code and you're running an admin account they can control the system.

Running remote code on Linux is a lot harder than windows, but I wouldn't say its impossible. And freespire has just said that if someone uses the default admin account that remote code, with sudo prefeix, can easily do anything. BAD!

This is assuming of course that they havn't modified the sudo program. But I doubt that anyone would modify core programs.


If you want to give admin privilages to other users I'd add the following lines:

Defaults:ALL timestamp_timeout=0
Defaults:ALL tty_tickets
%miniadmins ALL = (ALL) ALL

Now create a group called miniadmins, and add your users to them. They'll have the same privilages as regular admins but need to enter their passwords to sudo every time.

Did you make a seprate account from the default administrator? I thought freespire only made one account by default.


Ok, I saved all the info you provided on my sudoers file.
Thanks.

As for accounts, I have a root acount and one user
account with administrator privilages.

---pete---

ok you're all set. Just make sure that your admin accounts are in the miniadmins group (admins is a secuity risk, I just left it encase the freespire needs it for behind the sceens work) then prefix your commands with sudo to run them as an admin. because constent password prompts are annoying sudo bash and sudo konqueror can be used for extended work as root.

One final note, your desktop icon depends on being in the admins group, miniadmins with nice secure password prompts won't work, just use the sugestion you got on the mepis forum instead.

And if I got anything wrong tell me, only way I'll learn :)

[update] Someone noticed this on the freespire forums (http://forum.freespire.org/showthread.php?t=1523). Apparently its safe to simple turn %admins ALL=(ALL) NOPASSWD: ALL into %admins ALL=(ALL) ALL. I'd still add the extra defaults though :)