13

Suppose a non-root user with sudo privileges executes a delayed shutdown (shutdown +10 or whatever) and logs out. Then, before the shutdown occurs, he wants to log back in and cancel the shutdown. The problem is that shutdown creates /etc/nologin, and login only allows root to log in when that file exists... is it possible to create an exception from this for a user?

If not, what would be the best way to let a user initiate a delayed shutdown, then logging in and cancelling it at a later point?

Improve this question
1
  • 1
    One could maybe use shutdown now with the at scheduler as a workaround.
    – jw013
    Commented Aug 2, 2011 at 16:15

5 Answers 5

Reset to default
21

If your system uses PAM, the login denial when /etc/nologin exists is triggered by the pam_nologin module.

You can skip the pam_nologin invocation for users matching certain criteria with pam_succeed_if. For example, if you want to allow users in the adm group to log in on a text console even if /etc/nologin exists, add the following line to /etc/pam.d/login just before the line with auth requisite pam_nologin.so:

auth [default=ignore success=1] pam_succeed_if.so quiet user ingroup adm
Improve this answer
2
  • 1
    This answer makes sense and matches what it says in the man pages for pam.d and pam_succeed_if perfectly, but doesn't work for me on Arch Linux 5.12.
    – Vince
    Commented Jun 22, 2021 at 2:55
  • 1
    This PAM option does not work anymore under OpenSSH 8.8p1 if UsePAM no option is used. It would actually check the /etc/nologin after authenticated session has been established and TTY opened.
    – John Greene
    Commented Feb 19, 2022 at 20:46
9

Vesa K's version of Ryan Novosielski's answer works for me, but the lines are in:

/etc/pam.d/sshd

not:

/etc/pam.d/login

In my case, I just want UID 1000 under Ubuntu 14.04 LTS to be allowed to login via SSH.

# Disallow non-root logins when /etc/nologin exists.
account [success=1 default=ignore] pam_succeed_if.so quiet uid eq 1000
account    required     pam_nologin.so
Improve this answer
2
  • 1
    Thanx for pointing out the separate pam.d/ssh configuration that may be needed. I edited @Giles answer above to include it. Some people don't read alt the answers before leaping into action... :-)
    – dave58
    Commented Feb 4, 2022 at 1:32
  • Thanks a lot! In 22.04.1-Ubuntu it is "account". For ssh - login you do not even need to alter /etc/pam.d/login Only /etc/pam.d/sshd was sufficient . This is good for security and prevents issues to be addressed from remote - like it!
    – opinion_no9
    Commented Feb 4 at 9:50
4

Gilles's answer above is very good, but note you must match the "type" with pam_nologin.so's type. So for example, on my RHEL5 system:

account [default=1 success=ignore] pam_succeed_if.so quiet user ingroup nx
account required     pam_nologin.so

...if I used auth, as the other answer requested, it wouldn't work.

Improve this answer
1
  • 1
    I'm sure this is accurate for when it was written and RHEL5 and when it was written. On my Arch system, the type used for pam_nologin.so is auth. So, Gilles's answer would be more correct for me. Unfortunately, it didn't work for me on Arch Linux. I also tried changing the type for both rules to account.
    – Vince
    Commented Jun 22, 2021 at 3:01
1

I'm not sure if it is possible to override the /etc/nologin creation/usage without dirty tricks. But for your purpose, you can use a function like this:

off () { 
   touch /tmp/GOING-DOWN
   sudo sh -c "sleep ${1-1} && [ -f /tmp/GOING-DOWN ] && /sbin/poweroff"
}

Upon re-login, deleting the file /tmp/GOING-DOWN will prevent shutdown.

edit: Added a simple way to cancel the shutdown.

Improve this answer
0

I tried Ryan's rule today and found out that Gils's and Ryan's answers bot have success/default rules "reversed", nologin blocks only nx-group. This is how I implemented this rule (nx group is not blocked by nologin).

account [success=1 default=ignore] pam_succeed_if.so quiet user ingroup nx
account required     pam_nologin.so
Improve this answer
1
  • 1
    The man page for pam.d doesn't say anything about the order of the values. It does refer to default as "the last of these", but I believe that's only referring to the order in which they appear in the man page. In any case, I tried the answers from Gilles, Ryan, and you without success on Arch Linux.
    – Vince
    Commented Jun 22, 2021 at 3:07

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .