How to make /sbin/shutdown, /sbin/reboot etc. require sudo again in 16.04?
Systemd does indeed handle the shutdown
, reboot
and other commands, and the default privileges assigned are permissive. To change this, you need to create a Polkit rule. Create a .pkla
file in /etc/polkit-1/localauthority/50-local.d
(say, confirm-shutdown.pkla
) containing:
[Confirm shutdown]
Identity=unix-user:*
Action=org.freedesktop.login1.*
ResultActive=auth_admin_keep
The various shutdown, reboot, etc. commands are, in Polkit terms, actions in org.freedesktop.login1
, for example, org.freedesktop.login1.power-off
, org.freedesktop.login1.reboot
, etc. The specific problem here is the default configuration, which is in /usr/share/polkit-1/actions/org.freedesktop.login1.policy
:
<action id="org.freedesktop.login1.power-off">
<description>Power off the system</description>
...
<defaults>
<allow_any>auth_admin_keep</allow_any>
<allow_inactive>auth_admin_keep</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
Note that it allows the active user to power off, reboot, etc.
Related videos on Youtube
![Byte Commander](https://i.stack.imgur.com/m8DYH.jpg?s=256&g=1)
Byte Commander
Ask Ubuntu moderator♦, IT student and DevOps engineer. I love Ubuntu, Python, good music and coffee, although not necessarily in that order. You can easily contact me in the Ask Ubuntu General Room most of the time, or on Discord as @ByteCommander#2800. I'd also love to invite you to my Ubuntu Hideout Discord Server btw. PS: My profile picture is derived from "Wolf Tribals" by user HaskDitex (DeviantArt.com), which is under creative Commons 3.0 License. Currently I'm using the character "Dregg Morriss" from the game "Medieval Cop" by Vasant Jahav ("Gemini Gamer"). It can be found here.
Updated on September 18, 2022Comments
-
Byte Commander almost 2 years
For whatever reason, we do no longer need to be root (or using
sudo
) to run/sbin/shutdown
,/sbin/reboot
etc.This seems to be because those executables are now symlinks to
/bin/systemctl
which handles everything as normal user.However, what if I want
shutdown
andreboot
to require root authentication again? How can I achieve this?-
muru about 8 yearsI'd guess polkit rules. Modify askubuntu.com/a/570969/158442 as per need (use
pkaction | grep login1
for other rules of interest) -
muru about 8 years(an example of rules for requiring admin privileges: askubuntu.com/a/744094/158442)
-
ognjen almost 8 yearsIsn't this a only if you are the only person logged in. If there is anyone else logged in the system you will be asked to put in the root password.
-
Damien over 7 yearsThat may be not the answer you are expecting, but a similar behaviour can be caused by another admin user having editted your '/etc/sudoers'. If this is what is causing your issue then you can change it back by typing
sudo visudo
and check if there is a line with the path to these executables.
-
-
Byte Commander almost 8 yearsThe "wheel" group is a thing of Arch Linux and maybe other distributions, but definitely not on Ubuntu btw.
-
Anish almost 8 yearsWhat's to stop a non-root user from simply bypassing this script?
-
Anish almost 8 yearsThis is not effective. A user can just download a systemctl binary from somewhere else, and run that instead.
-
chevydog almost 8 years@Robie, you could do that with any solution. You could hold down the power button. My solution works for what he asks.
-
Elder Geek over 7 yearsNote that attempting to change the permissions of the link will change the permissions of the target (in this case
/bin/systemctl
) so running chmod /sbin/shutdown will impact all the links pointing to/bin/systemctl
as the permissions tobin/systemctl
will be changed as confirmed by the command $ll /bin/systemct
l -rwx------ 1 root root 659848 Jan 18 16:04 /bin/systemctl* -
Elder Geek over 7 yearsIf you need to change it back, the default permissions are
-rwxr-xr-x 1 root root 659848 Jan 18 16:04 /bin/systemctl