What is the correct way to prevent non-root users from issuing shutdowns or reboots

linux reboot privileges gdm multiseat

8,370

Solution 1

First, note that ConsoleKit's shutdown function considers "single user" and "multiple users" as two different situations – shutting down the system always requires administrator authentication if other users are logged in.

All such actions are managed by PolicyKit. If you want to adjust the policies, you can do so as described in polkit(8) – /etc/polkit-1/rules.d/20-disallow-shutdown.rules:

polkit.addRule(function(action, subject) {
    if ((action.id == "org.freedesktop.consolekit.system.stop" ||
         action.id == "org.freedesktop.consolekit.system.restart") &&
        subject.isInGroup("users")) {
            return subject.active ? polkit.Result.AUTH_ADMIN : polkit.Result.NO;
    }
});

PolicyKit 0.105 and earlier versions document this in pklocalauthority(8) – /etc/polkit-1/localauthority/50-local.d/20-disallow-shutdown.pkla:

[Disallow shutdown]
Identity=unix-group:users
Action=org.freedesktop.consolekit.system.stop;org.freedesktop.consolekit.system.restart
ResultAny=no
ResultInactive=no
ResultActive=auth_admin

The Actions are listed in the ConsoleKit policy file or by running pkaction.

Solution 2

pklocalauthority is deprecated
You need systemd with logind and polkit.

Available actions

pkaction
# or /usr/share/polkit-1/actions/

You should look at /usr/share/polkit-1/actions/org.freedesktop.login1.policy

Add rule

First start monitoring system messages, so we can see if our new rule works:

journalctl -f

Then create file /etc/polkit-1/rules.d/60-noreboot_norestart.rules (in javascript).

In this file we add logic to check for actions and allow users in power group or require su authorization:

const power_actions = [
  'org.freedesktop.login1.reboot',
  'org.freedesktop.login1.reboot-multiple-sessions',
  'org.freedesktop.login1.power-off',
  'org.freedesktop.login1.power-off-multiple-sessions'
];

polkit.addRule(function ({ id }, subject) {
  if (power_actions.includes(id)) {
    return subject.isInGroup('power') ? polkit.Result.YES : polkit.Result.AUTH_ADMIN;
  }
});

Rule should be loaded and it should work. References below.

8,370

Alex

Web application developer by day who has also dabbled in audio, video and image tools.

Updated on September 18, 2022

Comments

Alex almost 2 years

Let's say that you have set up a multi-seat system for use in a school or library, allowing GDM to launch multiple X sessions to run simultaneously with different users/keyboards/monitors.

By default in Debian/Ubuntu in Gnome, you don't have to be root to shutdown or reboot. But this means any user can choose "reboot" or "shutdown" and kick off the other three users.

You have blocked physical access to the server so they can't simply push the power or reset buttons.

What is the correct way of disabling the "shutdown" and "reboot" functionality which is exposed to regular users through GDM/Gnome/whatever window manager you're using?
- Alex over 12 years
  
  @wizlog, see "You have blocked physical access to the server". This goes for its power plug too.
ffledgling almost 10 years

Are you sure that needs to be return polkit.Result.NO? I would've thought it'd be polkit.Result.YES to allow users in group "power"
Legooolas over 9 years

@ffledgling That's correct. I've edited the answer to reflect this, and to add a missing curly brace.
Legooolas over 9 years

It's also possible to use "NO" instead of "AUTH_ADMIN" to disable the menu on the login screen entirely, and the "org.freedesktop.login1.suspend" and "org.freedesktop.login1.suspend-multiple-sessions" options for controlling the Suspend menu item.
Mark K Cowan over 7 years

Wish I could upvote this multiple times