You are not logged in.

#1 2023-03-23 08:06:40

knarh
Member
Registered: 2023-03-11
Posts: 57

[SOLVED]Can't shutdown

Hello,

I can't understand why shutdown command doesn't work, when there's execute flag for user
 
As I understand shutdown and poweroff comands are links to systemctl but systemctl have execute flag for user too

ls -l poweroff shutdown systemctl  http://0x0.st/HooC.png

Last edited by knarh (2023-03-26 14:34:17)

Offline

#2 2023-03-23 08:22:14

dogknowsnx
Member
Registered: 2021-04-12
Posts: 648

Re: [SOLVED]Can't shutdown


Notifications for Arch Linux package updates
RI - Rest your Eyes and Self

"We are eternal, all this pain is an illusion" - Maynard James Keenan

Offline

#3 2023-03-23 13:43:41

seth
Member
Registered: 2012-09-03
Posts: 50,012

Re: [SOLVED]Can't shutdown

You'll also need an active session, what brings us to

shutdown command doesn't work

Please don't paraphrase, https://bbs.archlinux.org/viewtopic.php?id=57855

Because of the likely context

loginctl session-status

Offline

#4 2023-03-24 02:14:12

knarh
Member
Registered: 2023-03-11
Posts: 57

Re: [SOLVED]Can't shutdown

Thanks for replies

Polkit install worked but I still can't understand why I need ONE MORE PACKAGE to something that I have out of the box need to work and polkit is privilege escalation, and I don' think It's good

Pease don't parahrase

My bad

I have an error "Failed to execure command: Permission denied"

Is there a way to use shutdown without polkit?

Offline

#5 2023-03-24 02:51:20

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,449
Website

Re: [SOLVED]Can't shutdown

You don't need polkit (I don't have it on any of my systems).  But you do need privilege escalation of some sort as you are asking about running commands that can only be run as root.  You can use polkit / sudo / doas / or just 'su' which you already have installed.  Pick whichever one you like.


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#6 2023-03-24 03:00:04

knarh
Member
Registered: 2023-03-11
Posts: 57

Re: [SOLVED]Can't shutdown

So inconvenient, use privilege escalation or log as root to run shutdown command, as I know in sysVinit u just need x flag for user.   Anyway thanks!

Offline

#7 2023-03-24 07:40:39

seth
Member
Registered: 2012-09-03
Posts: 50,012

Re: [SOLVED]Can't shutdown

as I know in sysVinit u just need x flag for user.

Yeah… that's complete bullshit.

From "u" being to lazy to write 3-letter words over the idea of an "x flag for user" (hardley referring to 500 here, since that "user" would be the root) to the entire assertion that execution rights on a binary would overcome further permission restrictions and that the sysvinit shutdown magically didn't require root permissions to do a whole host of things that all require root permissions.

With a dedicated shutdown binary you could suid it and you perfectly can write minimal program to that effect - which however is a pretty silly idea and technically still a privilege escalation.
Also nb that

https://manpages.debian.org/testing/sysvinit-core/shutdown.8.en.html wrote:

shutdown wasn't designed to be run setuid. /etc/shutdown.allow is not used to find out who is executing shutdown, it ONLY checks who is currently logged in on (one of the) console(s).

Also you don't need to login, su can execute commands just like sudo.

Furthermore, logind by default handles the power button to poweroff, so you could use that and signal your authority to the by your physical proximity to the power button.

But finally: feel free to use https://wiki.archlinux.org/title/SysVinit and figure yourself.

Offline

#8 2023-03-25 16:50:03

knarh
Member
Registered: 2023-03-11
Posts: 57

Re: [SOLVED]Can't shutdown

I'm such an idiot

I didn't understand the purpose of systemd or sysvinit, so it's out of the point.

As I understood shutdown(I googled that shutdown can be a script which runs halt or reboot, is it true?) or halt are the links to systemctl,so when I run "shutdown now", "systemctl poweroff" is  ran actually?(likely I wrote a total crap here)
Shutdown is a rave in text editor and there help information in the end, so it's how help work by the way? So how to check is it a binary?

hardley referring to 500 here, since that "user" would be the root

I meant 755 for instance, more precisely - the execute permission for users. So even the file can have x flag for users - it can just don't run(more correctly as I think that the file will be executed,but the further programs won't) because of further permission restrictions, as you wrote. I didn't even suspect that you need a root permission for all bunch of things which will be in system, after just the "shutdown" command.

shutdown wasn't designed to be run setuid. /etc/shutdown.allow is not used to find out who is executing shutdown, it ONLY checks who is currently logged in on (one of the) console(s).

I didn't understand the meaning, the same man says "shutdown brings the system down in a secure way...", please explain what did you mean. And if shutdown wasn't designed to be run suid, what can suid to poweroff the system?

So I suid shutdown, but suid bit was set to systemctl(that is logical) and all works, but from security perspective systemctl with suid is shit. I don't like sudo or su, but is this the only way?

Your answer helped me so much, thanks a lot.

P.S. "nb that" instead of "note that"?

Last edited by knarh (2023-03-25 17:06:12)

Offline

#9 2023-03-25 16:58:35

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,449
Website

Re: [SOLVED]Can't shutdown

knarh wrote:

Shutdown is a rave in text editor and there help information in the end, so it's how help work by the way? So how to check is it a binary?

Are there typos here?  I can't make any sense at all of the first question there.  But for the second:

file /bin/shutdown

For the other points, many binaries are executable by any user but need escalated privileges for completing most of their functions; pacman is a simple and obvious example.  The binary /bin/pacman also has 0755 permissions, but you still need to run it as root for many operations.

knarh wrote:

So I suid shutdown, but suid bit was set to systemctl(that is logical) and all is works but from security perspective systemctl with suid is shit. I don't like sudo or su, but is this the only way?

There are many ways.  But each has pros and cons.  The cons for setting symtctl to be suid are overwhelming compared to other options, so I'd think that's objectively the worst.  But other options will have a lot of subjectivity - they include (but are not limited to) sudo, su, doas, polkit, or just logging in as root on another tty.

What is your reason for not wanting to use su?  How do you run updates with pacman?  You can't administer a system at all without having some mechanisms of occasionally running commands as root - so you must have some such option already in place.

Last edited by Trilby (2023-03-25 17:03:20)


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#10 2023-03-25 17:43:21

knarh
Member
Registered: 2023-03-11
Posts: 57

Re: [SOLVED]Can't shutdown

Thanks for answering, I log as root on another tty for administer use.
But the for pc shutdown it's too long. I think that the privilege escalation is unacceptable but suid is privilege escalation in some way(obviosly I'm not a system administrator to know much about security), so, good configured sudoers may be a solution.

Yes, there are types,so most likely "shutdown" is a binary, but it's a symbolic link to systemctl, so I can unlinked "shutdown" and suid it. Will be there any problems with systemd or logind, if I try to shutdown the system that way? I think "shutdown" with suid is the best solution for me.

testshut: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so...

Thanks for explanation!

Last edited by knarh (2023-03-25 17:54:58)

Offline

#11 2023-03-25 19:42:16

seth
Member
Registered: 2012-09-03
Posts: 50,012

Re: [SOLVED]Can't shutdown

symbolic link to systemctl, so I can unlinked "shutdown" and suid it.

No you can't. I don't understand what you actually mean by that but you can't.
If you copy systemctl to shutdown and suid that, you've just essentially suid'd systemctl which "from security perspective systemctl with suid is shit"

If you wanted a suid binary to run "/usr/bin/systemctl poweroff" you'd write a simple C program that uses https://man.archlinux.org/man/core/man-pages/exec.3.en or https://man.archlinux.org/man/system.3.en to do that.
nb. that you *CANNOT!* suid scripts, you'd have to suid the interpreter (eg. /bin/bash) what is obviously an idiotic idea.

so, good configured sudoers may be a solution.

That or just use polkit - it will (iirc and by default) only allow the active user (or root) to shutdown the system, which is sane default.
Likewise you can just "su -c /usr/bin/shutdown", since you'll have "su" installed w/ util-linux and use an active root account anyway.

https://en.wikipedia.org/wiki/Nota_bene

Offline

#12 2023-03-26 07:17:09

seth
Member
Registered: 2012-09-03
Posts: 50,012

Re: [SOLVED]Can't shutdown

It's perfectly fine to do this on the forum

knarh wrote:

as I understood man page for execl, I need something like that(that's my first program actually, I only wrote 'hello world" before):
/*myshutdown.c*/

#include <unistd.h>

int main()
{
        execl("/usr/share/systemctl","poweroff", NULL);
        return 0;
}

So, I need to compile it, and chmod it to 04700? And if I want to start it as usual binary without "./", am I need to move it to /usr/bin?

stat /usr/share/systemctl

Sure that's the binary you want to run?

Setting it 04700 won't help because then only the owner can execute it and it'll be elevated to the euid of the owner (root)
You'd at least allow the group to execute it and add yourself to the relevant group.

Offline

#13 2023-03-26 10:37:46

knarh
Member
Registered: 2023-03-11
Posts: 57

Re: [SOLVED]Can't shutdown

Sure that's the binary you want to run?

/usr/bin/systemctl of course, not /usr/share/systemctl

So I need:

#chgrp adm myshutdown
#chmod 04750 myshutdown
#usermod -aG adm tanzhi 

And if I want to execute "myshutdown" only by name, not by full path, I need to move it to /usr/bin?

Offline

#14 2023-03-26 11:25:40

seth
Member
Registered: 2012-09-03
Posts: 50,012

Re: [SOLVED]Can't shutdown

Why don't you just try?

Offline

#15 2023-03-26 11:53:13

knarh
Member
Registered: 2023-03-11
Posts: 57

Re: [SOLVED]Can't shutdown

It worked, but I still don't know how to execute it only by name, not by a full path, I need something to do with interpreter?

Offline

#16 2023-03-26 12:01:16

seth
Member
Registered: 2012-09-03
Posts: 50,012

Re: [SOLVED]Can't shutdown

And if I want to execute "myshutdown" only by name, not by full path, I need to move it to /usr/bin?

Why don't you just try?

echo $PATH

Offline

#17 2023-03-26 14:33:15

knarh
Member
Registered: 2023-03-11
Posts: 57

Re: [SOLVED]Can't shutdown

I moved it to /usr/lib..."facepalm"

It works fine, thanks for helping!

Last edited by knarh (2023-03-26 14:33:57)

Offline

Board footer

Powered by FluxBB