Vulnerability Development mailing list archives
Re: Non-priv'ed users able to reboot RH 7.0?
From: packetWhore <packetwhore () STARGATE NET>
Date: Sat, 7 Oct 2000 20:11:57 -0400
I noticed the same thing on RH6.1... Only it would ask me for a password but I only had to enter my normal user password not the root password... didn't think much of it because I had locked it down pretty well and it was only a personal box.. I have since moved to Slack 7... not sure why that is... pW On Sat, 7 Oct 2000, Joe Testa wrote:
Hi. I've found on my personal Redhat 7.0 system that any unprivilaged user can issue a 'reboot' command to reboot the machine. I have another RH 7 box, but I haven't been able to reproduce it on that one. Both systems were installed using the "Custom" option, and on clean HDs. My personal system has GNOME installed and other necessary items. The other system is a webserver, so it has very little on it besides apache, gcc, etc... Here's an example: sh-2.04$ uname -a Linux virtue 2.2.16-22 #1 Tue Aug 22 16:49:06 EDT 2000 i686 unknown sh-2.04$ id uid=99(nobody) gid=99(nobody) groups=99(nobody) sh-2.04$ reboot Broadcast message from root (tty1) Sat Oct 7 16:02:49 2000... The system is going down for reboot NOW !! ... ... ____________________________________ sh-2.04$ reboot reboot: must be superuser. sh-2.04$ Can anyone else reproduce this? - Joe Testa
Current thread:
- Non-priv'ed users able to reboot RH 7.0? Joe Testa (Oct 07)
- Re: Non-priv'ed users able to reboot RH 7.0? Gordon Messmer (Oct 07)
- Re: Non-priv'ed users able to reboot RH 7.0? Matt Wilson (Oct 07)
- Re: Non-priv'ed users able to reboot RH 7.0? packetWhore (Oct 07)
- Re: Non-priv'ed users able to reboot RH 7.0? Aaron Campbell (Oct 08)
- Re: Non-priv'ed users able to reboot RH 7.0? Andrew Griffiths (Oct 08)