What is the correct way to prevent non-root users from issuing shutdowns or reboots

  • pklocalauthority is deprecated
  • You need systemd with logind and polkit.

Available actions

pkaction
# or /usr/share/polkit-1/actions/

You should look at /usr/share/polkit-1/actions/org.freedesktop.login1.policy

Add rule

First start monitoring system messages, so we can see if our new rule works:

journalctl -f

Then create file /etc/polkit-1/rules.d/60-noreboot_norestart.rules (in javascript).

In this file we add logic to check for actions and allow users in power group or require su authorization:

polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.login1.reboot" ||
        action.id == "org.freedesktop.login1.reboot-multiple-sessions" ||
        action.id == "org.freedesktop.login1.power-off" ||
        action.id == "org.freedesktop.login1.power-off-multiple-sessions") {
        if (subject.isInGroup("power")) {
            return polkit.Result.YES;
        } else {
            return polkit.Result.AUTH_ADMIN;
        }
    }
});

Rule should be loaded and it should work. References below.

  1. https://lists.fedoraproject.org/pipermail/users/2013-September/440457.html
  2. https://wiki.archlinux.org/index.php/Polkit#Authorization_rules
  3. http://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html
  4. https://bbs.archlinux.org/viewtopic.php?pid=1335204#p1335204

First, note that ConsoleKit's shutdown function considers "single user" and "multiple users" as two different situations – shutting down the system always requires administrator authentication if other users are logged in.

All such actions are managed by PolicyKit. If you want to adjust the policies, you can do so as described in polkit(8) – /etc/polkit-1/rules.d/20-disallow-shutdown.rules:

polkit.addRule(function(action, subject) {
    if ((action.id == "org.freedesktop.consolekit.system.stop" ||
         action.id == "org.freedesktop.consolekit.system.restart") &&
        subject.isInGroup("users")) {
            return subject.active ? polkit.Result.AUTH_ADMIN : polkit.Result.NO;
    }
});

PolicyKit 0.105 and earlier versions document this in pklocalauthority(8) – /etc/polkit-1/localauthority/50-local.d/20-disallow-shutdown.pkla:

[Disallow shutdown]
Identity=unix-group:users
Action=org.freedesktop.consolekit.system.stop;org.freedesktop.consolekit.system.restart
ResultAny=no
ResultInactive=no
ResultActive=auth_admin

The Actions are listed in the ConsoleKit policy file or by running pkaction.

Tags:

Linux

Reboot

Privileges

Gdm

Multiseat

Recent Posts