11

Suppose a non-root user with sudo privileges executes a delayed shutdown (shutdown +10 or whatever) and logs out. Then, before the shutdown occurs, he wants to log back in and cancel the shutdown. The problem is that shutdown creates /etc/nologin, and login only allows root to log in when that file exists... is it possible to create an exception from this for a user?

If not, what would be the best way to let a user initiate a delayed shutdown, then logging in and cancelling it at a later point?

suszterpatt
  • 263
  • 1
  • 3
  • 7

5 Answers5

18

If your system uses PAM, the login denial when /etc/nologin exists is triggered by the pam_nologin module.

You can skip the pam_nologin invocation for users matching certain criteria with pam_succeed_if. For example, if you want to allow users in the adm group to log in on a text console even if /etc/nologin exists, add the following line to /etc/pam.d/login just before the line with auth requisite pam_nologin.so:

auth [default=ignore success=1] pam_succeed_if.so quiet user ingroup adm
Erion
  • 103
  • 2
Gilles 'SO- stop being evil'
  • 807,993
  • 194
  • 1,674
  • 2,175
  • This answer makes sense and matches what it says in the `man` pages for `pam.d` and `pam_succeed_if` perfectly, but doesn't work for me on Arch Linux 5.12. – Vince Jun 22 '21 at 02:55
  • This PAM option does not work anymore under OpenSSH 8.8p1 if `UsePAM no` option is used. It would actually check the `/etc/nologin` after authenticated session has been established and TTY opened. – John Greene Feb 19 '22 at 20:46
6

Vesa K's version of Ryan Novosielski's answer works for me, but the lines are in:

/etc/pam.d/sshd

not:

/etc/pam.d/login

In my case, I just want UID 1000 under Ubuntu 14.04 LTS to be allowed to login via SSH.

# Disallow non-root logins when /etc/nologin exists.
account [success=1 default=ignore] pam_succeed_if.so quiet uid eq 1000
account    required     pam_nologin.so
Jeff Schaller
  • 66,199
  • 35
  • 114
  • 250
Tony Travis
  • 61
  • 1
  • 3
  • Thanx for pointing out the separate pam.d/ssh configuration that may be needed. I edited @Giles answer above to include it. Some people don't read alt the answers before leaping into action... :-) – dave58 Feb 04 '22 at 01:32
4

Gilles's answer above is very good, but note you must match the "type" with pam_nologin.so's type. So for example, on my RHEL5 system:

account [default=1 success=ignore] pam_succeed_if.so quiet user ingroup nx
account required     pam_nologin.so

...if I used auth, as the other answer requested, it wouldn't work.

Ryan Novosielski
  • 41
  • 1
  • 1
    I'm sure this is accurate for when it was written and RHEL5 and when it was written. On my Arch system, the _type_ used for `pam_nologin.so` is `auth`. So, Gilles's answer would be more correct for me. Unfortunately, it didn't work for me on Arch Linux. I also tried changing the _type_ for both rules to `account`. – Vince Jun 22 '21 at 03:01
1

I'm not sure if it is possible to override the /etc/nologin creation/usage without dirty tricks. But for your purpose, you can use a function like this:

off () { 
   touch /tmp/GOING-DOWN
   sudo sh -c "sleep ${1-1} && [ -f /tmp/GOING-DOWN ] && /sbin/poweroff"
}

Upon re-login, deleting the file /tmp/GOING-DOWN will prevent shutdown.

edit: Added a simple way to cancel the shutdown.

jdh8
  • 123
  • 5
rozcietrzewiacz
  • 38,754
  • 9
  • 94
  • 102
0

I tried Ryan's rule today and found out that Gils's and Ryan's answers bot have success/default rules "reversed", nologin blocks only nx-group. This is how I implemented this rule (nx group is not blocked by nologin).

account [success=1 default=ignore] pam_succeed_if.so quiet user ingroup nx
account required     pam_nologin.so
Vesa K
  • 1
  • 1
    The `man` page for `pam.d` doesn't say anything about the order of the values. It does refer to `default` as "the last of these", but I believe that's only referring to the order in which they appear in the `man` page. In any case, I tried the answers from Gilles, Ryan, and you without success on Arch Linux. – Vince Jun 22 '21 at 03:07