What is the correct way to prevent non-root users from issuing shutdowns or reboots
Solution 1
First, note that ConsoleKit's shutdown function considers "single user" and "multiple users" as two different situations – shutting down the system always requires administrator authentication if other users are logged in.
All such actions are managed by PolicyKit. If you want to adjust the policies, you can do so as described in polkit(8) – /etc/polkit-1/rules.d/20-disallow-shutdown.rules
:
polkit.addRule(function(action, subject) { if ((action.id == "org.freedesktop.consolekit.system.stop" || action.id == "org.freedesktop.consolekit.system.restart") && subject.isInGroup("users")) { return subject.active ? polkit.Result.AUTH_ADMIN : polkit.Result.NO; } });
PolicyKit 0.105 and earlier versions document this in pklocalauthority(8) – /etc/polkit-1/localauthority/50-local.d/20-disallow-shutdown.pkla
:
[Disallow shutdown] Identity=unix-group:users Action=org.freedesktop.consolekit.system.stop;org.freedesktop.consolekit.system.restart ResultAny=no ResultInactive=no ResultActive=auth_admin
The Action
s are listed in the ConsoleKit policy file or by running pkaction
.
Solution 2
- pklocalauthority is deprecated
- You need systemd with logind and polkit.
Available actions
pkaction
# or /usr/share/polkit-1/actions/
You should look at /usr/share/polkit-1/actions/org.freedesktop.login1.policy
Add rule
First start monitoring system messages, so we can see if our new rule works:
journalctl -f
Then create file /etc/polkit-1/rules.d/60-noreboot_norestart.rules
(in javascript).
In this file we add logic to check for actions and allow users
in power
group or require su
authorization:
const power_actions = [
'org.freedesktop.login1.reboot',
'org.freedesktop.login1.reboot-multiple-sessions',
'org.freedesktop.login1.power-off',
'org.freedesktop.login1.power-off-multiple-sessions'
];
polkit.addRule(function ({ id }, subject) {
if (power_actions.includes(id)) {
return subject.isInGroup('power') ? polkit.Result.YES : polkit.Result.AUTH_ADMIN;
}
});
Rule should be loaded and it should work. References below.
- https://lists.fedoraproject.org/pipermail/users/2013-September/440457.html
- https://wiki.archlinux.org/index.php/Polkit#Authorization_rules
- http://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html
- https://bbs.archlinux.org/viewtopic.php?pid=1335204#p1335204
Related videos on Youtube
Alex
Web application developer by day who has also dabbled in audio, video and image tools.
Updated on September 18, 2022Comments
-
Alex almost 2 years
Let's say that you have set up a multi-seat system for use in a school or library, allowing GDM to launch multiple X sessions to run simultaneously with different users/keyboards/monitors.
By default in Debian/Ubuntu in Gnome, you don't have to be root to shutdown or reboot. But this means any user can choose "reboot" or "shutdown" and kick off the other three users.
You have blocked physical access to the server so they can't simply push the power or reset buttons.
What is the correct way of disabling the "shutdown" and "reboot" functionality which is exposed to regular users through GDM/Gnome/whatever window manager you're using?
-
Alex over 12 years@wizlog, see "You have blocked physical access to the server". This goes for its power plug too.
-
-
ffledgling almost 10 yearsAre you sure that needs to be return
polkit.Result.NO
? I would've thought it'd bepolkit.Result.YES
to allow users in group "power" -
Legooolas over 9 years@ffledgling That's correct. I've edited the answer to reflect this, and to add a missing curly brace.
-
Legooolas over 9 yearsIt's also possible to use "NO" instead of "AUTH_ADMIN" to disable the menu on the login screen entirely, and the "org.freedesktop.login1.suspend" and "org.freedesktop.login1.suspend-multiple-sessions" options for controlling the Suspend menu item.
-
Mark K Cowan over 7 yearsWish I could upvote this multiple times