Why Restart & Shutdown Buttons on login screen

Todd Denniston Todd.Denniston at ssa.crane.navy.mil
Fri Apr 25 17:52:36 UTC 2008 

Berna Massingill wrote, On 04/25/2008 12:02 PM:
> On Fri, Apr 25, 2008 at 09:31:34AM -0500, Aaron Konstam wrote:
> 
>>>  On Fri, 2008-04-25 at 15:47 +0200, Ralf Corsepius wrote:
>>>  > On Fri, 2008-04-25 at 07:16 -0500, Aaron Konstam wrote:
>>>  > > On Fri, 2008-04-25 at 14:02 +0530, "Rahul Tidke" wrote:
>>>  > > > Hello All,
>>>  > > >   I wonder about these buttons on gnome desktop; do we really need these
>>>  > > > buttons on login screen? Reboot and shutdown allowed before login for any
>>>  > > > user??
>>>  > > > 
>>>  > > > Thank You.
>>>  > > I find these buttons very useful. My machine double boots. Sometimes I
>>>  > > make a mistake  and allow the machine to boot to the wrong OS. Using
>>>  > > these buttons I can correct the situation. Other times I boot my machine
>>>  > > and I realize before I login that I really wanted to shutdown the
>>>  > > machine.
>>>  > 
>>>  > "your" machine => single-user environment.
>>>  
>>>  > 
>>>  > > But I confused by your question. How does this extra functionality hurt
>>>  > > you or anyone else?
>>>  > Do you expect arbitrary users to switch off an unattended ("free")
>>>  > machine in a lab's or an office's machine pool, a classical workstation
>>>  > scenario?
>>>  
>>>  I assume said machine does not have an on off button. We have this situation
>>>   in the lab at the college; 100 of them. Asign warns people not to do what 
>>>  you think they should not do. And it mostly works.
> 
> Emphasis on "mostly" :-).  (I work at the college in question.)  
> 
>>>  It is especially important in this environment because we have
>>>  multi-machine programs running on machines that look like they are just
>>>  sitting there.
> 
> Quite.  Training people not to reboot at the first sign of
> trouble has not been 100% effective either.  The multi-machine
> programs Aaron mentions sometimes need to run for days or weeks to
> produce results, so reboots and shutdowns have real consequences.
> Eventually the author of these programs found time to add a
> checkpointing capability.  User training only goes so far, after
> all, and mistakes are sometimes made.
> 
>>>  > Q: How to disable these buttons permanently?
> 
> I'm hoping someone will come up with an answer to this question.
> The "shutdown" menu option (once one is logged in) is particularly
> a problem in that it seems all too easy to select accidentally
> when one is trying to log out.
> 
> -- blm
> 

Mostly replying to Chris. Williams, but doing it from the portion of the 
thread with much more info.

A CISSP with enough information about the use case would not through a fit. 
Fits are generally perceived as unprofessional.
The CISSP would document the risks that [s]he perceived, of having power 
switches (both hardware and software) available for folks at the physical 
machine to press, and make sure A) it is legal for the data to be risked this 
way, B) operating within the organization's security policy and C) that the 
appropriate level of management and the data owner understood and accepted the 
risk (signed off that they approve).  CISSPs understand: there is a balance to 
life, even if it means working somewhere more security aware.

In this case it _reads_ like having the PHYSICAL switches available is 
probably not a big problem for the data owner[2], and with the training they 
are giving it is easy enough to tape a big `don't press here` sign over the 
button (as even in windows NOW the button is being trained into users a LAST 
resort).  And they Believe that the software switch is being hit mostly out of 
accident (too close to the log out selection) or forgetfulness (habit of doing 
a graceful shutdown on their own machines when done).

The problem is that they perceive there is no (obvious) place for the 
administrator to tweak the UIs such that only root can run the software switch.
Even if they did not have long running jobs on the systems, the reasons to 
software restrict[1] physically local users from shutting down the system 
would include:
1) it is rude to make the next user wait for the machine to power up.
2) the computer lab wants to keep itself warm with the exhaust from the computers.
3) the computer lab wants to see the same power bill each month.
4) the computer lab does not want to see power cycles hitting their hard drives.
5) the sound energy in the lab is too bursty without all the fans going.

Note: Rahul indicated PolicyKit might be able to help.
	I would have thought one of the switches might be able to be removed from GDM 
config.

[1] so that it is not an easy accident that the system got shutdown.
because even if you remove the physical shutdown switch, there is always the 
power cord, but both the cord and switch are not accidental.
OK the switch could be an accident if you are using a 15 year old computer 
with a real toggle switch instead of that thing that runs to the mother board. :)

[2] though nothing indicates the legality or that they are following the 
security policy.

-- 
Todd Denniston
Crane Division, Naval Surface Warfare Center (NSWC Crane)
Harnessing the Power of Technology for the Warfighter

More information about the fedora-list mailing list