How to make /sbin/shutdown, /sbin/reboot etc. require sudo again in 16.04?

permissions sudo shutdown root reboot

9,097

Systemd does indeed handle the shutdown, reboot and other commands, and the default privileges assigned are permissive. To change this, you need to create a Polkit rule. Create a .pkla file in /etc/polkit-1/localauthority/50-local.d (say, confirm-shutdown.pkla) containing:

[Confirm shutdown]
Identity=unix-user:*
Action=org.freedesktop.login1.*
ResultActive=auth_admin_keep

The various shutdown, reboot, etc. commands are, in Polkit terms, actions in org.freedesktop.login1, for example, org.freedesktop.login1.power-off, org.freedesktop.login1.reboot, etc. The specific problem here is the default configuration, which is in /usr/share/polkit-1/actions/org.freedesktop.login1.policy:

<action id="org.freedesktop.login1.power-off">
        <description>Power off the system</description>
        ...
        <defaults>
                <allow_any>auth_admin_keep</allow_any>
                <allow_inactive>auth_admin_keep</allow_inactive>
                <allow_active>yes</allow_active>
        </defaults>

Note that it allows the active user to power off, reboot, etc.

9,097

Byte Commander

Ask Ubuntu moderator♦, IT student and DevOps engineer. I love Ubuntu, Python, good music and coffee, although not necessarily in that order. You can easily contact me in the Ask Ubuntu General Room most of the time, or on Discord as @ByteCommander#2800. I'd also love to invite you to my Ubuntu Hideout Discord Server btw. PS: My profile picture is derived from "Wolf Tribals" by user HaskDitex (DeviantArt.com), which is under creative Commons 3.0 License. Currently I'm using the character "Dregg Morriss" from the game "Medieval Cop" by Vasant Jahav ("Gemini Gamer"). It can be found here.

Updated on September 18, 2022

Comments

Byte Commander almost 2 years

For whatever reason, we do no longer need to be root (or using sudo) to run /sbin/shutdown, /sbin/reboot etc.

This seems to be because those executables are now symlinks to /bin/systemctl which handles everything as normal user.

However, what if I want shutdown and reboot to require root authentication again? How can I achieve this?
- muru about 8 years
  
  I'd guess polkit rules. Modify askubuntu.com/a/570969/158442 as per need (use pkaction | grep login1 for other rules of interest)
- muru about 8 years
  
  (an example of rules for requiring admin privileges: askubuntu.com/a/744094/158442)
- ognjen almost 8 years
  
  Isn't this a only if you are the only person logged in. If there is anyone else logged in the system you will be asked to put in the root password.
- Damien over 7 years
  
  That may be not the answer you are expecting, but a similar behaviour can be caused by another admin user having editted your '/etc/sudoers'. If this is what is causing your issue then you can change it back by typing sudo visudo and check if there is a line with the path to these executables.
Byte Commander almost 8 years

The "wheel" group is a thing of Arch Linux and maybe other distributions, but definitely not on Ubuntu btw.
Anish almost 8 years

What's to stop a non-root user from simply bypassing this script?
Anish almost 8 years

This is not effective. A user can just download a systemctl binary from somewhere else, and run that instead.
chevydog almost 8 years

@Robie, you could do that with any solution. You could hold down the power button. My solution works for what he asks.
Elder Geek over 7 years

Note that attempting to change the permissions of the link will change the permissions of the target (in this case /bin/systemctl) so running chmod /sbin/shutdown will impact all the links pointing to /bin/systemctl as the permissions to bin/systemctl will be changed as confirmed by the command $ ll /bin/systemctl -rwx------ 1 root root 659848 Jan 18 16:04 /bin/systemctl*
Elder Geek over 7 years

If you need to change it back, the default permissions are -rwxr-xr-x 1 root root 659848 Jan 18 16:04 /bin/systemctl