Home / ubuntu / Questions / 789058
Accepted
Byte Commander
Asked: 2016-06-20 11:14:34 +0800 CST

How to make /sbin/shutdown, /sbin/reboot etc. require sudo again in 16.04?

  • 772

For whatever reason, we do no longer need to be root (or using sudo) to run /sbin/shutdown, /sbin/reboot etc.

This seems to be because those executables are now symlinks to /bin/systemctl which handles everything as normal user.

However, what if I want shutdown and reboot to require root authentication again? How can I achieve this?

permissions

5 Answers

  1. Best Answer

    Systemd does indeed handle the shutdown, reboot and other commands, and the default privileges assigned are permissive. To change this, you need to create a Polkit rule. Create a .pkla file in /etc/polkit-1/localauthority/50-local.d (say, confirm-shutdown.pkla) containing:

    [Confirm shutdown]
Identity=unix-user:*
Action=org.freedesktop.login1.*
ResultActive=auth_admin_keep

    The various shutdown, reboot, etc. commands are, in Polkit terms, actions in org.freedesktop.login1, for example, org.freedesktop.login1.power-off, org.freedesktop.login1.reboot, etc. The specific problem here is the default configuration, which is in /usr/share/polkit-1/actions/org.freedesktop.login1.policy:

    <action id="org.freedesktop.login1.power-off">
        <description>Power off the system</description>
        ...
        <defaults>
                <allow_any>auth_admin_keep</allow_any>
                <allow_inactive>auth_admin_keep</allow_inactive>
                <allow_active>yes</allow_active>
        </defaults>

    Note that it allows the active user to power off, reboot, etc.

    • 5

  2. You can use chmod command.

    • If you want to give access to only root, you can write:

      chmod 700 directory/to/the/file

    • If you want to give permisson to the root and the sudo group then you can write:

      chmod 770 directory/to/the/file

    • If you want to change the group of the file from sudo to an another (like a user or admins) you need to type in:

      chown owner:group directory/to/the/file

    • If you want to revert back, run:

      chown root:sudo filedirectory

    Note: you may have to use sudo to these command, or have logged in the root account

    • 0

  3. As changing permissions of a symlink on a Linux system doesn't change the permissions of the link but instead the file it points to (In Ubuntu at least). I would think the safest way to accomplish this would be to remove the link, and recreate it with the required umask to obtain the result you desire.

    Another related post can be found here

    • 0

  4. You can make a script that checks if user is running it with root permissions or not.
    Then it will run systemctl command or return error.

    #!/bin/bash
if [ "$(whoami)" != "root" ]; then
    echo "Sorry, you are not root."
    exit 1
else
    (systemctl shutdown command)
fi

    Source

    • -1

  5. Try to change its permissions in terminal. You could make it executable only by by a certain group, such as wheel or admin. Sadly (or perhaps fortunately), a file can only have one group ownership so chown simply wouldn't work by itself. Try "sudo chown root:wheel /sbin/shutdown" and then "sudo chmod g+x /sbin/shutdown". This will make the file executable only by root and admins(shudders) and sudoers will be required to enter their passwords.

    • -1