tisdag 6 januari 2015

Preventing normal users from Shutting Down or Rebooting PC

The default policy in linux is often that normal users can shut down or reboot a PC, even if other people are logged in. When using a desktop PC as a server or if you often leave your applications open, you don't want that to happen.

This is a question that comes up many times on the Internet. The problem is that the components in linux change and not every distribution uses the same components.

In linux, only root has the power to shut down or reboot. Many linux distributions use Policykit for rules to override this and let the normal users shut down and reboot.

In Fedora 21, to override the default rules, create a new rule with the following command:
sudo nano /etc/polkit-1/rules.d/60-noreboot_norestart.rules
 Paste the following text:
polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.login1.reboot" ||
        action.id == "org.freedesktop.login1.reboot-multiple-sessions" ||
        action.id == "org.freedesktop.login1.power-off" ||
        action.id == "org.freedesktop.login1.power-off-multiple-sessions") {
        if (subject.isInGroup("power")) {
            return polkit.Result.YES;
        } else {
            return polkit.Result.AUTH_ADMIN;
Save the file. The policy will now be in use for users logging in. It will always prevent a normal user from rebooting or shutting down the system and it will ask for the administrator user password. If you want to allow a user to shut down or reboot when no one else is logged in, modify the rules above and remove the parts "action.id == "org.freedesktop.login1.reboot" ||" and "action.id == "org.freedesktop.login1.power-off" ||". Then it will only prevent users from rebooting and shutting down when other users are logged in.

[1] At some point there was a bug in systemd that ignored the login rules, but it was fixed last year [freedesktop.org].

[2] The code in this article was copied from here [superuser.com]