Security: Writing "shutdown" into sudoers file

[Apache]

Hello everyone,

sometimes I let my computer do a thing, I leave my home, and want it to be shut down. For example:
wipe -q -r /media/user/DISK ; sudo shutdown -h now
I normally would run this one as root; however, sometimes I need to run commands as "user".
The shutdown command needs to run as "sudo" or root, so my question is:
I want my computer to shut down withouth asking then for the sudo-PW.
In Gnome-Terminal it seems to save/remember the "sudo"-pw, but for how long? If I want to run the long-time-command without sudo, but the shutdown command needs sudo, what should I do?
E.g.
sudo -i ; logout ; long-time-command; sudo shutdown -h
Would this solution be ok?
But what if the long-time-command takes 5 hours, will gnome-terminal then ask for the PW again, thus not shutting down?

As I am not sure about this, I am thinking about using visudo to write the shutdown-command into the sudoers file, so the user could use "shutdown" without sudo... or without asking for the sudo-pw.

What's the normal solution for this issue? Would it be insecure writing shutdown for the user into the sudoers file?

Thank you for answers!
Apache.

[ajgreeny]

In Ubuntu-16.04 sudo is no longer required for a user to execute the shutdown or reboot command; is that not the same in Mint?

However if you do need to use sudo still in Mint you can add either a specific time, or a delay, to the shutdown command very easily.
See man shutdown for info

The time string may either be in the format "hh:mm" for hour/minutes specifying the time to execute the shutdown at, specified in 24h clock format. Alternatively it may be in the syntax "+m" referring to the specified number of minutes m from now. "now" is an alias for "+0", i.e. for triggering an immediate shutdown. If no time argument is specified, "+1" is implied.

Note that to specify a wall message you must specify a time argument, too.

If the time argument is used, 5 minutes before the system goes down the /run/nologin file is created to ensure
that further logins shall not be allowed.

I see no good reason to edit the sudoers file for something simple that seems already possible.

[grumpy_geek]

In Gnome-Terminal it seems to save/remember the "sudo"-pw, but for how long? If I want to run the long-time-command without sudo, but the shutdown command needs sudo, what should I do?

How about making the sudo session last longer (- not sure this works in Mint, though).

[Flemur]

I do this and then regular guys can run it without sudo:

Code: Select all

sudo chmod u+s /sbin/shutdown

[Apache]

"hh:mm" for hour/minutes specifying the time to execute the shutdown at, specified in 24h clock format.

Thanks for this answer, and this may be helpful in some cases, but you probably don't know when the long-time-command ends.
If you think it will last for 5 hours, but then it turns out to be 8 hours, and the shutdown-command will run at 6 hours from now, this is not the solution!
I want to be sure with this one:

First: Longtime command ; then: shutdown -h,
the ";" or "&" does this quite good already.
And not:
shutdown -h 17:26
long-time command. (without the knowledge how long this command actually takes, so we need ";" or "&"
Thanks anyway, appreciated.

[xenopeek]

You didn't specify your Linux Mint version but from Linux Mint 18 and LMDE 2 you can just use the command systemctl shutdown without need for sudo.

For earlier versions you use this command to shutdown without need for sudo:

Code: Select all

dbus-send --system --print-reply --dest="org.freedesktop.ConsoleKit" /org/freedesktop/ConsoleKit/Manager org.freedesktop.ConsoleKit.Manager.Stop

[shengchieh]

Will this work?

Code: Select all

pause 3000 ; systemctl shutdown

Sheng-Chieh

[powerhouse]

You didn't specify your Linux Mint version but from Linux Mint 18 and LMDE 2 you can just use the command systemctl shutdown without need for sudo.

For earlier versions you use this command to shutdown without need for sudo:

Code: Select all

dbus-send --system --print-reply --dest="org.freedesktop.ConsoleKit" /org/freedesktop/ConsoleKit/Manager org.freedesktop.ConsoleKit.Manager.Stop

That's cool - how did you memorize that? Just a joke. I love Linux!

Will this work?

Code: Select all

pause 3000 ; systemctl shutdown

Sheng-Chieh

You could just change pause 3000 to pause 5 and give it a try. I don't see why this shouldn't work.

[xenopeek]

That's cool - how did you memorize that? Just a joke. I love Linux!

I did not remember the dbus command, only the systemctl command I did recall I figured this out in the past and so looked for my topic on that and copied the dbus command from there.

[ajgreeny]

Another quick thought!

What about combining the two commands into one separated with double ampersands; that way the second command (shutdown) will only execute when and if the first has finished successfully.
So try

Code: Select all

<long-term-command> && systemctl shutdown

[lmuserx4849]

...
I normally would run this one as root; however, sometimes I need to run commands as "user".
The shutdown command needs to run as "sudo" or root, so my question is:
I want my computer to shut down withouth asking then for the sudo-PW.
...

When needed, for the user part: sudo -iu username -- command

The dbus-send command that xenopeek listed, worked for me @LM17.3. In fact an archlinux user made the dbus commands into scripts.

A useful command, qdbusviewer, is a gui that allows you to walk through the objects and their methods.

There was an interesting askubuntu question 1 or question 2, that says it is policy-kit (/usr/share/polkit-1/actions/org.freedesktop.consolekit.policy). I've never jumped into policy-kit much. But there is a reply that says: "A slightly safer option would be to allow sudoers passwordless shutdown."

It is my understanding that systemd-logind (>LM17.3) changes the above (??)... replacing consolekit, so the dbus command would be different.

[xenopeek]

It is my understanding that systemd-logind (>LM17.3) changes the above (??)... replacing consolekit, so the dbus command would be different.

Yes, you just let systemctl shutdown handle it