On 20201108 11:33:30, Dave Stevens wrote:
On Sun, 8 Nov 2020 14:19:53 -0500
Jamie Fargen <jamie@fargenable.com> wrote:

If you have physical access it is trivial to gain root to the host, by
booting into single user mode and changing the root password.
you mean it won't work over ssh?

There seems to be some linguistic misunderstandings here. What is a "root user"? I see that as somebody logged in as root. Anybody else has an account with sudo enabled, a sudoer. Anybody else is a user as is a sudoer when not prefixing commands with "sudo ". I interpreted "root user" to be somebody logged in using the root password not somebody who can run (some) root level commands using sudo instead of "su -l".

You have two classes of login, remote and local. Remote can be subdivided if you wish. It simply means the remote user cannot reach over a push a button to physically reboot the machine. (And at least one version of RedHat Linux I used even the local reboot to single user mode required a password. That restriction didn't last long as I recall.)

As a courtesy ANYBODY, root, sudoer, or user logged into a local (I can reach over a push a damn button if I have to) machine should be able to reboot, perhaps after some politeness mumbo-jumbo. ( "Fred, sue, marcy, meghan, george, johnj, and johna are logged in. Reboot anyway after warning them? y/n".) That allows the user about to pull the power switch a chance to be inhumanly polite. But, in the end, the reboot should happen. Perhaps if root is also logged in the mumbo-jumbo should be a little more serious.

Any user logged in remotely should not be able to reboot the machine, period, end of statement.

Any sudoer logged in remotely, when root is not logged, in should be able to reboot the machine after politeness mumbo-jumbo and rituals. If root is logged in I don't know what should happen. How much do you trust your root password or other account access. If you trust it implicitly, reboot should be prohibited even to sudoers. If you figure that the root account may get compromised and that "root" you see is not legitimate, then sudoers, people trusted more than most, should be able to reboot the machine hoping to catch it as it boots and close its doors. "Good luck".

If you log in as root or su -l in as root then shutting down the machine with "shutdown" should work with the standard politeness mumbo-jumbo and "shutdown now" should bring it down instantly.

Aside: Above this you might add a "shutdown (secret word here)" command that allows only a remote or local root login with the machine in a "dumb" state. The remote would be accepted only from one specific IP address range. Once logged in a specific sequence of commands would enable normal root access for that login. Then you can trouble shoot the machine and try to root out nasties before they manage to take the machine back away from you.

Now that there is a definition for local and remote logins and three account types what do YOU guys think should be the actions when "shutdown" is typed by some warm body at some keyboard somewhere that is somehow linked to any given machine?

Get specific and blow the generalities.

{^_^}