Ubuntu – Why do we need to be root in terminal for shutdown and restart

privilegesrestartshutdownsudo

When we install/remove/update packages or make any changes which require administrative privileges we are prompted for the password of admin user who has the sudo privileges – this happens both via GUI and terminal.

prompt via gui

However, if we try to shutdown and restart via terminal, it complains that we need to be root:

$ reboot
reboot: Need to be root

$ shutdown now
shutdown: Need to be root

But we are never asked for a password when we perform these actions via the cog-wheel at top right.

cog-wheel menu

Why is there this discrepancy?

Best Answer

The shutdown on the cog-wheel checks if you are allowed to shutdown the machine. This is done via PolicyKit. In case of shutdown this statement in the file /usr/share/polkit-1/actions/org.freedesktop.consolekit.policy is checked:

<action id="org.freedesktop.consolekit.system.stop">
  <description>Stop the system</description>
  <message>System policy prevents stopping the system</message>
  <defaults>
    <allow_inactive>no</allow_inactive>
    <allow_active>yes</allow_active>
  </defaults>
</action>

The PolicyKit triggers a dbus-send command. In case of shutdown it would be:

dbus-send --system --print-reply --dest=org.freedesktop.Hal /org/freedesktop/Hal/devices/computer org.freedesktop.Hal.Device.SystemPowerManagement.Shutdown

There is a daemon running in the background with root-Privileges that invokes the shutdown command for you.

When you want to be able to shutdown the machine "the old way" via command line (shutdown, reboot, halt, ...), then you need to add the suid-Bit to those commands. But be aware, everyone on your system, that has access to the shell could then shutdown your machine.

Related Solutions

Ubuntu – Proper way to let user enter password for a bash script using only the GUI (with the terminal hidden)

The -A sudo option allows you to specify a helper program (in the SUDO_ASKPASS variable) that will ask for the password.

Create a script to ask the password (myaskpass.sh):

#!/bin/bash
zenity --password --title=Authentication

Then insert this line at the beginning of your script:

export SUDO_ASKPASS="/path/to/myaskpass.sh"

and replace all occurences of sudo <command> with:

sudo -A <command>

You can use whatever password asking program you want instead of zenity. I had to encapsulate it within a script because SUDO_ASKPASS must point to a file, so it won't work with the --password option required by zenity.

The above works like a charm if it runs from command line or if you choose Run in terminal after double click the script file in the file manager, but if you choose Run or try to launch it from a .desktop file every sudo will ask for the for password again.

If you don't want a terminal window at all, you can store the password in a variable and pipe it to sudo -S. Maybe there's some security concerns, but I think it's pretty safe (read the comments on this answer).

Insert this line at the beginning of your script:

PASSWD="$(zenity --password --title=Authentication)\n"

and replace all occurences of sudo <command> with:

echo -e $PASSWD | sudo -S <command>

Ubuntu – Ubuntu no longer prompts for root privilege (but doesn’t give it either)

I had the same problem after changing to ubuntu-desktop from lubuntu on my imac. It seems, that 'policykit-1-gnome' was missing. After reinstalling sudo apt-get install policykit-1-gnome and logout-login it works flawlessly.

Best Answer

Related Solutions

Ubuntu – Proper way to let user enter password for a bash script using only the GUI (with the terminal hidden)

Ubuntu – Ubuntu no longer prompts for root privilege (but doesn’t give it either)

Related Question