'Re: [lids-user] Re: (urgent queries) LIDS 1.2 for Kernel Version'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       lids-user
Subject:    Re: [lids-user] Re: (urgent queries) LIDS 1.2 for Kernel Version
From:       Yusuf Wilajati Purna <ywpurna () users ! sourceforge ! net>
Date:       2004-03-31 14:49:27
Message-ID: 406ADA77.4090806 () users ! sourceforge ! net
[Download RAW message or body]

Hi,

Deeptish Dey wrote:
> Hello Purna,
> 
> 
>>I think it depends on the ACLs and lids caps for the SHUTDOWN state.
>>Usually, in lids 1.1.X, a user will do 'lidsadm -S -- -LIDS_GLOBAL'
>>before reboot/shutdown the system. This is to make sure
>>that the system can be cleanly brought down. The SHUTDOWN state
>>gives an option to set the system into a loosely protected state but
>>not so open as without protection.
>>
>>But, if with lids 1.1.X you can cleanly shutdown the system, you can
>>just try first with empty lids.shutdown.conf and
>>lids.shutdown.cap in lids 1.2.X.
>>
> 
> 
> 
> Tried your suggestion emptied lids.shutdown.conf, moreover allowed all 
> capabilities in lids.shutdown.cap, But the system gets hanged while trying 
> to ifdown eth0.
> 

Had you done "#lidsadm -S -- +SHUTDOWN" before shutdowning the system?


> But the same is working in lids.1.1, and I don't have to switch to
> lids_globally OFF, just shutdown works fine. 
> 
> I guess that lids-1.1 and 1.2 works differently, and when I type shutdown 
> from the root prompt there is no way to switch to SHUTDOWN state, and in 
> POSTBOOT CAP_NET_ADMIN is 0, so it will not be able to bring down the 
> system gracefully.
> 

I am not pretty sure what do you mean, here.
SHUTDOWN state is only the name of a state. Currently, there is no
way to switch to SHUTDOWN state without 'lidsadm -S -- +SHUTDOWN'.

> For automated rebooting for prolonged power-cut at the weekend this 
> automatic shutdown is necessary. 

Okay, maybe you can try with the configs for lids 1.1 as they are,
and just use empty lids.XXX.conf and lids.XXX.cap.

> -----------
> Also, if we do -CAP_SYS_BOOT, in POSTBOOT.cap, and RELOAD, reboot still 
> works (of course hanging while trying to bring down eth0). -CAP_SYS_BOOT 
> should shop root from using reboot(), shutdown(), init 0, init 6 etc. 
> isn't it?
> 

Currently, for CAP_SYS_BOOT, LIDS only treats it as in the
standard kernel. It means that disabling CAP_SYS_BOOT from the whole
system only prevents a process from calling the reboot(2) system call.
It doesn't yet prevent a process from executing init(8), reboot(8),
shutdown(8). Thus, rebooting the system when CAP_SYS_BOOT is not
available mostly ends up with system hanging.

Regards,
purna



-- 
Yusuf Wilajati Purna <ywpurna@users.sourceforge.net>
1024D/7354A078
Key fingerprint = 7F4F 8433 C65F 3502 BC93  F529 BFDE F939 7354 A078



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
lids-user mailing list
lids-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lids-user
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic