What is the correct way to prevent non-root users from issuing shutdowns or reboots

9

3

Let's say that you have set up a multi-seat system for use in a school or library, allowing GDM to launch multiple X sessions to run simultaneously with different users/keyboards/monitors.

By default in Debian/Ubuntu in Gnome, you don't have to be root to shutdown or reboot. But this means any user can choose "reboot" or "shutdown" and kick off the other three users.

You have blocked physical access to the server so they can't simply push the power or reset buttons.

What is the correct way of disabling the "shutdown" and "reboot" functionality which is exposed to regular users through GDM/Gnome/whatever window manager you're using?

thomasrutter

Posted 2011-11-07T07:03:11.587

Reputation: 1 473

1What if they pull the plug? – wizlog – 2011-11-07T07:20:56.020

2@wizlog, see "You have blocked physical access to the server". This goes for its power plug too. – thomasrutter – 2011-11-07T22:09:10.413

Answers

3

First, note that ConsoleKit's shutdown function considers "single user" and "multiple users" as two different situations – shutting down the system always requires administrator authentication if other users are logged in.

All such actions are managed by PolicyKit. If you want to adjust the policies, you can do so as described in polkit(8) – /etc/polkit-1/rules.d/20-disallow-shutdown.rules:

polkit.addRule(function(action, subject) {
    if ((action.id == "org.freedesktop.consolekit.system.stop" ||
         action.id == "org.freedesktop.consolekit.system.restart") &&
        subject.isInGroup("users")) {
            return subject.active ? polkit.Result.AUTH_ADMIN : polkit.Result.NO;
    }
});

PolicyKit 0.105 and earlier versions document this in pklocalauthority(8)/etc/polkit-1/localauthority/50-local.d/20-disallow-shutdown.pkla:

[Disallow shutdown]
Identity=unix-group:users
Action=org.freedesktop.consolekit.system.stop;org.freedesktop.consolekit.system.restart
ResultAny=no
ResultInactive=no
ResultActive=auth_admin

The Actions are listed in the ConsoleKit policy file or by running pkaction.

user1686

Posted 2011-11-07T07:03:11.587

Reputation: 283 655

7

  • pklocalauthority is deprecated
  • You need systemd with logind and polkit.

Available actions

pkaction
# or /usr/share/polkit-1/actions/

You should look at /usr/share/polkit-1/actions/org.freedesktop.login1.policy

Add rule

First start monitoring system messages, so we can see if our new rule works:

journalctl -f

Then create file /etc/polkit-1/rules.d/60-noreboot_norestart.rules (in javascript).

In this file we add logic to check for actions and allow users in power group or require su authorization:

polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.login1.reboot" ||
        action.id == "org.freedesktop.login1.reboot-multiple-sessions" ||
        action.id == "org.freedesktop.login1.power-off" ||
        action.id == "org.freedesktop.login1.power-off-multiple-sessions") {
        if (subject.isInGroup("power")) {
            return polkit.Result.YES;
        } else {
            return polkit.Result.AUTH_ADMIN;
        }
    }
});

Rule should be loaded and it should work. References below.

  1. https://lists.fedoraproject.org/pipermail/users/2013-September/440457.html
  2. https://wiki.archlinux.org/index.php/Polkit#Authorization_rules
  3. http://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html
  4. https://bbs.archlinux.org/viewtopic.php?pid=1335204#p1335204

rofrol

Posted 2011-11-07T07:03:11.587

Reputation: 1 419

2Are you sure that needs to be return polkit.Result.NO? I would've thought it'd be polkit.Result.YES to allow users in group "power" – ffledgling – 2014-08-28T17:32:45.337

@ffledgling That's correct. I've edited the answer to reflect this, and to add a missing curly brace. – Legooolas – 2014-11-05T16:25:48.130

1It's also possible to use "NO" instead of "AUTH_ADMIN" to disable the menu on the login screen entirely, and the "org.freedesktop.login1.suspend" and "org.freedesktop.login1.suspend-multiple-sessions" options for controlling the Suspend menu item. – Legooolas – 2014-11-05T16:27:25.213

Wish I could upvote this multiple times – Mark K Cowan – 2016-12-18T02:42:36.447

0

Here's a more polished and modern ES6 version of @jakegould answer:

/etc/polkit-1/rules.d/20-disable-unprivileged-power-controls.rules

/* jshint esnext:true */                                                                                                                                                                                                                      

/**
 * @see https://superuser.com/questions/354678/what-is-the-correct-way-to-prevent-non-root-users-from-issuing-shutdowns-or-rebo
 * @since 2019.05.26
 */
polkit.addRule( function(action, subject) {

    const power_actions = [
        'org.freedesktop.login1.reboot',
        'org.freedesktop.login1.reboot-multiple-sessions',
        'org.freedesktop.login1.power-off',
        'org.freedesktop.login1.power-off-multiple-sessions',
    ]; 

    if ( power_actions.includes( action.id ) ) {

        let result = polkit.Result.AUTH_ADMIN;

        if ( subject.isInGroup( 'wheel' ) ) {
            result = polkit.Result.YES;
        }

        return result;

    }  

} );

lkraav

Posted 2011-11-07T07:03:11.587

Reputation: 1 049

Asked: 2011-11-07T07:03:11.587

Viewed: 6 259 times

Active: 2019-05-26T18:02:00.693