About 3 weeks ago I accidentally started shutting down a dom0 by leaving out the xen command ‘xl’ when trying to reboot a single guest. I aborted the reboot by running ‘/sbin/init 5’ and promised the users accidentally shut down we would remove reboot from the working path.

This required three changes. The first was to remove /sbin from PATH. Rather than editing any of the system files, I added a file /etc/profile.d/pathenv.sh that executes

PATH=$(echo "$PATH" | sed 's#:/sbin##')
export PATH

sudo has a separate path definition “secure_path” which starts with /sbin by default. I added an ansible line item to change the existing entry in /etc/sudoers to

Defaults    secure_path = /bin:/usr/sbin:/usr/bin

Finally, redhat has a package usermode wich provides /usr/bin/reboot. The package description for usermode is “usermode contains the userhelper program, which can be used to allow configured programs to be run with superuser privileges by ordinary users.” We have no need of this, and there were no packages depending on it we needed, so the package was removed. We couldn’t have removed it from older versions of CentOS as it was an indirect dependency for xen.