Hi, I have a handful of openSUSE 11.4 machines that I allow users to use the GUI for web surfing and writing documents and I am meanwhile running scientific computing jobs in the background. Every now and then, someone clicks “shutdown”, “reboot”, or “hibernate” and ruins my afternoon.
I’ve searched Google and these forums for ways to prevent a normal user from shutting down the system, but so far haven’t had any luck in finding a solution. I have found instructions for just about every other Linux OS, except openSUSE though.
These machines are running LXDE, but my preferred solution wouldn’t depend on the particular desktop solution in use.
On Thu, 16 Jun 2011 19:36:03 +0000, quantamm wrote:
> These machines are running LXDE, but my preferred solution wouldn’t
> depend on the particular desktop solution in use.
If you want to lock down the desktop, then the desktop environment is an
integral part of the decision on how to restrict the interface. You do
this differently in LXDE than in GNOME than in KDE, etc.
There are a couple of things that puzzle me about your request as well -
How does someone shutting down a machine ruin your afternoon? It
should be a matter of just turning the machine back on, no?
Are you restricting access to the physical PC itself as well - or how
are you going to prevent them from powering the machine off with the
power switch? (Don’t think that’ll happen? I worked in a University
computer lab and had students turn off machines that had signs over the
monitor that said “Server - DO NOT POWER OFF” and cardboard taped over
the power toggle switch (PS/2 systems).
This is not possible. If normal users click “shutdown” or “reboot” either it will not work or they will be asked for the root password. Take your users out of the wheel group and change the root password!
If a user types “shutdown -r now” in a terminal, he should see the following message:
Absolute path to ‘shutdown’ is ‘/sbin/shutdown’, so running it may require superuser privileges (eg. root).
How does someone shutting down a machine ruin your afternoon? It
should be a matter of just turning the machine back on, no?
He is running them in the background:
I am meanwhile running scientific computing jobs in the background.
I guess when someone stops the system when you are three hours in a four hour calculation saying “ruin my afternoon” is a nice remark.
I founf something in YaST > Security and users > Secirity center (or similar wording). Startup configuration. About Ctrl-Alt Del and the KDM shutdown option.
I guess you have to search for al the holes. And in the end hendersj is correct. They will even try to pull out the power cord when they think fit. Only thing is to put a computer in the good locked computer room and only allow remote access (as in the good old days ).
On 2011-06-16 21:53, Jim Henderson wrote:
> On Thu, 16 Jun 2011 19:36:03 +0000, quantamm wrote:
>
>> These machines are running LXDE, but my preferred solution wouldn’t
>> depend on the particular desktop solution in use.
I would hack the runlevel scripts. For example, if a certain file exists or
does not exists, abort halting.
But before, in file “/etc/sysconfig/displaymanager” try adjusting this:
Determine who will be able to shutdown or reboot the system in kdm
and gdm. Valid values are: “root” (only root can shutdown), “all”
(everybody can shutdown), “none” (nobody can shutdown from
displaymanager), “auto” (follow
System/Security/Permissions/PERMISSION_SECURITY to decide: "easy
local" is equal to “all”, everything else is equal to “root”). Note
that remote user can never shutdown in GDM.
DISPLAYMANAGER_SHUTDOWN=“auto”
Path: Desktop/Display manager
Type: string(Xorg)
Default: “Xorg”
> There are a couple of things that puzzle me about your request as well -
>
> 1. How does someone shutting down a machine ruin your afternoon? It
> should be a matter of just turning the machine back on, no?
No.
The job he is running in the background is halted without saving the data -
if it can save the data before it finishes.
> 2. Are you restricting access to the physical PC itself as well - or how
> are you going to prevent them from powering the machine off with the
> power switch? (Don’t think that’ll happen? I worked in a University
> computer lab and had students turn off machines that had signs over the
> monitor that said “Server - DO NOT POWER OFF” and cardboard taped over
> the power toggle switch (PS/2 systems).
Ouch!
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)
On 2011-06-16 23:06, hcvv wrote:
> I guess you have to search for al the holes. And in the end hendersj is
> correct. They will even try to pull out the power cord when they think
> fit.
For which the cure is “fire” >;-)
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)
On 06/16/2011 09:36 PM, quantamm wrote:
>
> I’ve searched Google and these forums for ways to prevent a normal user
> from shutting down the system
this is the surefire way:
write a note saying something like “Do not shut down, hibernate,
sleep, Ctrl-Alt-Delete, press the power button or unplug the machine”
get a BIG stick and use it to beat the living daylights out of one or
two, in front of all users…
(or go though a tedious process of changing permissions/scripts/voodoo
so that only root can do the things you don’t want a user to do—but,
as mentioned they can still unplug or press the power button!!)
sorry, i forgot to give the real answer: i think you are looking for
some version of a “kiosk mode”, but i’ve never done it, see here for
hints: http://preview.tinyurl.com/6zfcqyg
On Thu, 16 Jun 2011 20:50:07 +0000, Carlos E. R. wrote:
>> There are a couple of things that puzzle me about your request as well
>> -
>>
>> 1. How does someone shutting down a machine ruin your afternoon? It
>> should be a matter of just turning the machine back on, no?
>
> No.
>
> The job he is running in the background is halted without saving the
> data - if it can save the data before it finishes.
Ah, makes sense, I somehow completely missed the part about background
computing jobs.
>> 2. Are you restricting access to the physical PC itself as well - or
>> how are you going to prevent them from powering the machine off with
>> the power switch? (Don’t think that’ll happen? I worked in a
>> University computer lab and had students turn off machines that had
>> signs over the monitor that said “Server - DO NOT POWER OFF” and
>> cardboard taped over the power toggle switch (PS/2 systems).
>
> Ouch!
Yeah, not fun having all the network systems shut down because someone
powered the server off. (We weren’t allowed a secure room for the server
at that point - that changed after several students lost their work when
one of them powered the server off because they didn’t have a login
prompt).
On 2011-06-16 23:43, DenverD wrote:
> On 06/16/2011 11:37 PM, DenverD wrote:
>
>> - get a BIG stick
>
> sorry, i forgot to give the real answer: i think you are looking for some
> version of a “kiosk mode”, but i’ve never done it, see here for hints:
> http://preview.tinyurl.com/6zfcqyg
>
> yipee: http://en.opensuse.org/Kiosktool
X’-)
The other day we were visiting a science museum, with several kids. At some
time the grown ups were chatting, and two kids were at a computer exhibit.
Suddenly, one of the guards ran towards the computer and told the kids
something, probably remonstrating.
Then we found out that the computer exhibit was just a windows machine with
iexplorer set to an address of interest (insects in Andalucía or
something). Nobody thought of locking it somehow, or just didn’t know how
to do it… so kids, being kids, were browsing internet!
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)
On 06/17/2011 03:38 AM, Carlos E. R. wrote:
> so kids, being kids, were browsing internet!
yep, every time i’m in a similar situation (Redmond’s best set out for
honest folks to ‘learn’ something [museum, art gallery, info center,
transportation schedules, whatever]) i usually try to see how ‘secure’
it is…
Reminds me of the time when we were young. Somewhere in the seventies I guess. Some of my co-workers went to the Amsterdam Efficiency Fair. There they found the company that we had our big iron from (no, not IBM and certainly not MS) that showed a small office system. They wanted to demonstrate and asked the bystanders for a volunteer. Of course nobody stepped forward, but two of my bunch pointed to the third: “He!”
So the demonstrator had to take him. He was given a chair and the demonstrator read what the system asked: to choose between three options by typing a 1, 2 or 3. He invited: “Please type one”. My colleague typed a 4 and before the other could cry “NO” he hit the Return key. The whole application crashed. rotfl!
We called this “destructive testing” and we loved it.
To be honest, not without a locked computer room. In my struggle to prevent users to power off a server (that does have big yellow “DO NOT POWER OFF, YOUR WORK DEPENDS ON THIS MACHINE”), this is what I did:
I put DUCT tape across the POWER button on the server. Which made someone unplug it from the wall.
To avoid that, the power plug now has a locking wire across it, so it cannot easily be unplugged from the wall.
Disallowed users to shutdown/reboot (described above). This made them remove the DUCT tape on the power button, hold it for four seconds and call me the next morning with a “NO NETWORK” complaint.
Disconnected the power switch (easily done, instructions available on the web). After 2 weeks someone found out that the server’s PSU, like his PC at home, has a POWER switch too…
Replaced the PSU with one without a POWER switch. This helped for quite a while, until someone found out, it can be unplugged at the machine’s end.
Solution: I sent a € 1000 invoice for network recovery. The manager sent a copy of it to all. stating these were the costs of ignoring company instructions. Which helps so far.
And then, the reasons used for this behaviour:
fire prevention
continuous annoyance by the two leds ( that someone already painted red (?) with a oermanent marker ). The two who mentioned this, have their iPhones blinking and blasing all the time BTW.
fear of ozon poisoning
security (??? hackers only attack machines when no one’s there?)
mismanagement in systems administration: it’s ridiculous, clients should work without a server as well.
And here’s the best part: when the server was powered off for maintenance in a weekend, they removed it entirely, to clean the place from non used items. I was only out for 10 minutes for a coffee and a smoke, met them on the stairs when they were going to waste “that small useless machine, that nobody uses”. A world without sysadmins, that’s what we need.
“How does shutting down a machine ruin an afternoon?” I’m running scientific calculations on these machines that involve diagonalizing huge matrices. A single diagonalization can take several hours, so an inadvertently shutdown machine can mean the elimination of hours of work.
“Are you restricting access to the machines?” Sort of. This is a private lab and the machines are out of the way. The users in the lab are grad students and they know better than to intentionally shut off a machine, but in LXDE, the logoff/shutdown menu has 5-6 entries, only one of which (logoff) is what I want available. A mistaken mouse click is what I’m trying to avoid.
Please_try_again said:
“This is not possible.” and implied that the users may have the root password. Sure, if the users attempt a shutdown from the commandline, it fails, but they can perform a shutdown or reboot from inside LXDE.
To robin_listas, hcvv, and DenverD: thank you. I’ll try all of the suggestions and I’ll reply back once I have a resolution I’m happy with.
On 06/17/2011 09:36 PM, quantamm wrote:
> To robin_listas, hcvv, and DenverD: thank you. I’ll try all of the
> suggestions and I’ll reply back once I have a resolution I’m happy with.
i just remembered another one…but, i’ve never used (or seen) LXDE so i
don’t know if you can use it…
in KDE4 there is a Personal Settings - Configure Desktop, if i open that
and go System Administration > Login Screen > Shutdown (tab) there you
can see (here) an “Allow Shutdown” section with the ability to set who
can shutdown either locally or remotely…
spin the “Local” setting from “Everybody” to “Only Root” or even
“Nobody” – and the if you choose the latter then you could set to allow
“Only Root” from a remote location and ssh in from your office
maybe someone else can chime in on how to do the same in LXDE (there
MUST be a non-DE specific or system config file this can be set up in…
On 2011-06-17 22:11, DenverD wrote:
> maybe someone else can chime in on how to do the same in LXDE (there MUST
> be a non-DE specific or system config file this can be set up in…
And I posted it…
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)