Disable XRDP users from restarting/Shutting Down Computer

nishanth9042 · July 24, 2015, 5:36pm

Hello all,

I am using OpenSUSE 13.1 with XFCE DE and I have installed xrdp and it’s working fine but the only issue is the normal users who login via RDP from terminals are able to shut the computer down. How to prevent RDP users from Shutting/Rebooting the computer.

Thanks.

tsu2 · July 24, 2015, 7:55pm

Since XRDP enables a User to login locally, I don’t know that it’s possible directly.
But, there are well known ways used by many technologies to more or less enable what you describe…

Shutdown requires root permissions. Don’t allow your Users root permissions (both su and sudo, sudo requries modifying the sudoers file)
Remove any objects used to shutdown, although this might not be very usable by itself if the User feels familiar at the command line, you can do things like remove shutdown as a menu option in the Desktop.
Deploy VMs or similar. Since the User is logging into a virtual machine, the only thing being shut down is the virtual machine and not the Host.

The above can be applied a variety of ways like configuring config files manually, perhaps applying policy.

TSU

robin_listas · July 25, 2015, 2:48am

On 2015-07-24 19:56, tsu2 wrote:

> - Shutdown requires root permissions. Don’t allow your Users root
> permissions (both su and sudo, sudo requries modifying the sudoers file)

Guessing… I think policykit may be involved.

–
Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

nishanth9042 · July 25, 2015, 3:05am

Found a strange thing. When I start the xrdp service after computer boots then the RDP users are able to shut down the computer where if I start the service by adding to crontab then the RDP users are just able to disconnect the session.

Also the chkconfig doesn’t start the xrdp service at boot.

tsu2 · July 25, 2015, 6:24pm

As I suggested in my post, technicaly speaking I think you’re describing simple multi-user logins to the Linux running on bare metal only. By definition, this is not “virtualization” since nothing is actually virtualized, it’s simply multiple Users accessing the system, so by default every User <may> have root and shutdown permission unless a security policy prevents or hides.
There are generally 2 main categories of Virtualization discussed in this forum, one seen more than thte other.
The first uses a paravirtualized or fully virtualization kernel, and is used by most recognized virtualization technologies like KVM, Xen, VirtualBox, VMware, etc. The Guests using these virtualization apps are fully isolated from each other and the Host so unless you do some major security hack you can’t ever have the scenario you describe. The XRDP protocol is typically implemented by way of using VNC to view graphical Desktops in these Guests, particularly if using the libvirt management system.

The other main virtualization is only isolation and virtual networking, but no kernel virtualiztion. On Linux, this generally means Linux containers, and main implementations particularly on openSUSE include Docker and LXC. Unless you use libvirt to manage these Guest Containers, using the XRDP protocol is an option but not necessarily implemented.

So,
Just saying… Depending on what you want to implement, you may or may not have set up what you want. If you want true prevention from ordinary Users executing operations that affect the entire machine, you are doing ti wrong by having the Users log in to the only operating system running. You need to instead define an isolated and likely virtualized environment to properly deploy isolated User environments.

TSU