What is the correct way to prevent non-root users from issuing shutdowns or reboots

Question

Let's say that you have set up a multi-seat system for use in a school or library, allowing GDM to launch multiple X sessions to run simultaneously with different users/keyboards/monitors.

By default in Debian/Ubuntu in Gnome, you don't have to be root to shutdown or reboot. But this means any user can choose "reboot" or "shutdown" and kick off the other three users.

You have blocked physical access to the server so they can't simply push the power or reset buttons.

What is the correct way of disabling the "shutdown" and "reboot" functionality which is exposed to regular users through GDM/Gnome/whatever window manager you're using?

rofrol · Answer 1 · 2021-04-16T06:38:04.713

pklocalauthority is deprecated
You need systemd with logind and polkit.

Available actions

pkaction
# or /usr/share/polkit-1/actions/

You should look at /usr/share/polkit-1/actions/org.freedesktop.login1.policy

Add rule

First start monitoring system messages, so we can see if our new rule works:

journalctl -f

Then create file /etc/polkit-1/rules.d/60-noreboot_norestart.rules (in javascript).

In this file we add logic to check for actions and allow users in power group or require su authorization:

const power_actions = [
  'org.freedesktop.login1.reboot',
  'org.freedesktop.login1.reboot-multiple-sessions',
  'org.freedesktop.login1.power-off',
  'org.freedesktop.login1.power-off-multiple-sessions'
];
polkit.addRule(function ({ id }, subject) {
  if (power_actions.includes(id)) {
    return subject.isInGroup('power') ? polkit.Result.YES : polkit.Result.AUTH_ADMIN;
  }
});

Rule should be loaded and it should work. References below.

grawity · Accepted Answer · 2013-02-01T20:43:33.770

First, note that ConsoleKit's shutdown function considers "single user" and "multiple users" as two different situations – shutting down the system always requires administrator authentication if other users are logged in.

All such actions are managed by PolicyKit. If you want to adjust the policies, you can do so as described in polkit(8) – /etc/polkit-1/rules.d/20-disallow-shutdown.rules:

polkit.addRule(function(action, subject) {
    if ((action.id == "org.freedesktop.consolekit.system.stop" ||
         action.id == "org.freedesktop.consolekit.system.restart") &&
        subject.isInGroup("users")) {
            return subject.active ? polkit.Result.AUTH_ADMIN : polkit.Result.NO;
    }
});

PolicyKit 0.105 and earlier versions document this in pklocalauthority(8) – /etc/polkit-1/localauthority/50-local.d/20-disallow-shutdown.pkla:

[Disallow shutdown]
Identity=unix-group:users
Action=org.freedesktop.consolekit.system.stop;org.freedesktop.consolekit.system.restart
ResultAny=no
ResultInactive=no
ResultActive=auth_admin

The Actions are listed in the ConsoleKit policy file or by running pkaction.

score 0 · Answer 3 · edited Jul 29 '22 at 00:58

Here's a more polished and modern ES6 version of this.

/etc/polkit-1/rules.d/20-disable-unprivileged-power-controls.rules

/* jshint esnext:true */
/**

@see https://superuser.com/questions/354678/what-is-the-correct-way-to-prevent-non-root-users-from-issuing-shutdowns-or-rebo
@since 2019.05.26

*/
polkit.addRule( function(action, subject) {
const power_actions = [
    'org.freedesktop.login1.reboot',
    'org.freedesktop.login1.reboot-multiple-sessions',
    'org.freedesktop.login1.power-off',
    'org.freedesktop.login1.power-off-multiple-sessions',
]; 

if ( power_actions.includes( action.id ) ) {

    let result = polkit.Result.AUTH_ADMIN;

    if ( subject.isInGroup( 'wheel' ) ) {
        result = polkit.Result.YES;
    }

    return result;

}  


} );

What is the correct way to prevent non-root users from issuing shutdowns or reboots

3 Answers3

Available actions

Add rule