Shutdown is too easy

David A. De Graaf dad at datix.2y.net
Wed Jul 20 17:38:44 CEST 2005 

On Wed, Jul 20, 2005 at 10:08:58AM +0200, Jean-Fran?ois Wauthy wrote:
> Le mardi 19 juillet 2005 à 23:33 -0400, David A. De Graaf a écrit :
> > The 'exit' popup window offers three choices:
> >   - Quit current session
> >   - Reboot the computer
> >   - Turn off the computer
> > 
> > The convenience of single clicking to shut down the computer is vastly
> > exceeded by the danger.  I would like to delete or disable this
> > third option.  Such an irreversible action should take more effort.
> > 
> > In preparation for a trip, I was experimenting with running a VNC
> > connection from a laptop over an SSH tunnel to my main home computer.
> > (XFCE works great in this configuration!)  However, I accidentally clicked
> > "Turn off the computer".  Luckily I was sitting at home and could push
> > the power button to turn it back on, but the thought of doing this while
> > away from home is too scary to think about.
> > 
> > Is there a way to remove this dangerous option?
> > 
> IIRC the only way to stop the system whithout any further confirmation
> is by setting sudo to not ask password for the current user for at
> least /sbin/halt, /sbin/reboot/ and /sbin/shutdown
> 
> so i'd say configure sudo to ask you a password when you try to shutdown
> the system...
> 

You have diagnosed my problem perfectly.  Thank you, Jean-François
Wauthy.

I had configured sudo to let me do everything (pretty dumb, I know):
    dad     ALL=(ALL) NOPASSWD: ALL

This includes whatever command is used by the shutdown cartoon.
However an attempt to exclude shutdown failed to restrict it:
    dad     datium=PASSWD: /sbin/shutdown, NOPASSWD: ALL

I either misunderstand the man page for 'sudoers' (which is the
epitome of incomprehensibility), or the shutdown icon mysteriously
uses some command other than /sbin/shutdown.  (Sometimes I really hate
GUI interfaces!)

In any case, I've removed all interventions with sudo and now XFCE
shuts down as it should - by requiring a password.

-- 
	David A. De Graaf    DATIX, Inc.    Hendersonville, NC
	dad at datix.2y.net     www.datix.us

More information about the Xfce mailing list