# shutdown permission to user



## lezde716 (Sep 17, 2010)

Hi guys...

I'm new to freebsd. I want to give permission to a user only shutdown or rebooting. how do I do this. Please help.


----------



## graudeejs (Sep 17, 2010)

depends on how you want to do that, and what desktop environment you use
Personally I use sudo

make group users, add users to this group
in sudofile (using *visudo*) add

```
%users  ALL = (ALL) NOPASSWD: /sbin/shutdown -p now
%users  ALL = (ALL) NOPASSWD: /sbin/shutdown -r now
```

now users can shutdown/reboot with `$ sudo sbin/shutdown -p now` or `$ sudo sbin/shutdown -r now`
you can integrate this in your Window Manger / Desktop Environment as menu item


----------



## Beastie (Sep 17, 2010)

Or you can avoid using third-party applications, but then you must be a member of the *operator* group:
`# pw group mod operator -m lezde`
Check the handbook.

`% shutdown -p now` will work now.


----------



## graudeejs (Sep 17, 2010)

What else operator group can do?


----------



## Beastie (Sep 17, 2010)

Mount devices.


----------



## lezde716 (Sep 21, 2010)

Thanks everybody...


----------



## alx82 (Apr 27, 2018)

I have a user that belongs to operator group on a FreeBSD 11.1 installation, the user is able to shutdown the system with: 


```
% shutdown -p now
```

But reboot give permission denied error

```
% reboot
reboot: Operation not permitted
```


----------



## ShelLuser (Apr 27, 2018)

alx82 said:


> But reboot give permission denied error


Easily explained:


```
peter@unicron:/home/peter $ ls -l /sbin/shutdown
-r-sr-xr--  2 root  operator  17288 Mar 25 11:27 /sbin/shutdown*
peter@unicron:/home/peter $ ls -l /sbin/reboot
-r-xr-xr-x  4 root  wheel  11008 Mar 25 11:27 /sbin/reboot*
```
The only trick being done here is that shutdown has been set up with suid (set userid bit) while it's owned by root. As a direct result anyone who executes that program will do so as root. As a precaution they set the permission bits to 554 so that only root and the operator group can execute it.

But reboot doesn't follow the same logic.

You could override this behavior by issuing `# chmod 4554 /sbin/reboot && chgrp operator /sbin/reboot` but I'm not too sure if that's a good idea. If other processes not owned by root rely on reboot then you could easily break things.

The other problem is that these permissions are likely going to get reset as soon as you upgrade the system.


----------



## alx82 (Apr 27, 2018)

I don't understand why reboot and shutdown have different permission bits and different group ownership, this is a bit counter-intuitive.


----------



## ShelLuser (Apr 27, 2018)

Can't really explain that one either. My guess is because both programs do essentially different things. Reboot can actually change your system (for example by telling it to boot a different kernel) whereas shutdown merely does just that.

It does seem a little inconsistent but even so: direct use of reboot is usually a bad idea anyway, so it's not that problematic to reserve its use only for system administrators.


----------



## PacketMan (Apr 27, 2018)

alx82 said:


> I have a user that belongs to operator group on a FreeBSD 11.1 installation, the user is able to shutdown the system with:
> 
> 
> ```
> ...



Any reason you require to use reboot?  Why not`shutdown -r now`?


----------



## alx82 (Apr 27, 2018)

No special reason, I was just wondering, since I typed that command and it gave me permission denied, I used to think that the group operator was enough.


----------



## SirDice (Apr 30, 2018)

Don't use the reboot(8) command. It doesn't shutdown services, it kills them.


----------

