Welcome to WebmasterWorld Guest from 220.127.116.11
Forum Moderators: bakedjake
It would be prudent to remove the "rx" permissions for "others", and do a "chgrp" on "shutdown" from "root" to some new group. (For example, you might call the new group.... "shutdown".) Put the vendor's account in that group.
It works without setuid'ing the shutdown binary, I've never looked into how, but it does work.
edit: I took a quick search and it's done through /usr/sbin/userhelper
[edited by: SeanW at 3:25 am (utc) on Oct. 30, 2007]
By default the user at the console can halt the box.
I can tell you that 'shutdown -h now' in an ssh terminal session on your server looks almost exactly like the same command on a terminal session on your linux desktop. It looks enough alike that one might shut down some webservers at the datacenter thinking they were shutting down their local pc :).