How to make /sbin/shutdown, /sbin/reboot etc. require sudo again in 16.04?

root shutdown permissions reboot sudo

Solution 1:

Systemd does indeed handle the shutdown, reboot and other commands, and the default privileges assigned are permissive. To change this, you need to create a Polkit rule. Create a .pkla file in /etc/polkit-1/localauthority/50-local.d (say, confirm-shutdown.pkla) containing:

[Confirm shutdown]
Identity=unix-user:*
Action=org.freedesktop.login1.*
ResultActive=auth_admin_keep

The various shutdown, reboot, etc. commands are, in Polkit terms, actions in org.freedesktop.login1, for example, org.freedesktop.login1.power-off, org.freedesktop.login1.reboot, etc. The specific problem here is the default configuration, which is in /usr/share/polkit-1/actions/org.freedesktop.login1.policy:

<action id="org.freedesktop.login1.power-off">
        <description>Power off the system</description>
        ...
        <defaults>
                <allow_any>auth_admin_keep</allow_any>
                <allow_inactive>auth_admin_keep</allow_inactive>
                <allow_active>yes</allow_active>
        </defaults>

Note that it allows the active user to power off, reboot, etc.

Related

Does Unity have any widgets?
Ubuntu 19.10 Multiple Timezone clocks [duplicate]
How do I make my display grayscale?
Switch between internal and HDMI speakers automatically
Sleep mode drains battery very fast
How to start Thunderbird minimized on start-up?
AMD-V is not enabled in VirtualBox on AMD APU
Turn off keyboard back-light Sony (VAIO SVF1521DCXW)
Mouse lagging on Ubuntu 17.10
Accessing IE only sites
apt-get install with '-' (minus / hyphen) removes packages
ssh no longer allows public key authentication