User access to these actions are controlled by polkit. In particular, they correspond to the following actions:
org.freedesktop.consolekit.system.stoporg.freedesktop.consolekit.system.restartorg.freedesktop.upower.suspendorg.freedesktop.upower.hibernate
All of these actions are allowed by default for active local users (although consolekit further restricts the first two permissions to only work when there is a single user logged into the system).
If you want to disable these actions create a file /etc/polkit-1/50-local.d/disable-shutdown.pkla containing something like:
[Disable shutdown/whatever]
Identity=unix-user:*
Action=org.freedesktop.consolekit.system.stop;org.freedesktop.consolekit.system.restart;org.freedesktop.upower.suspend;org.freedesktop.upower.hibernate
ResultAny=no
ResultInactive=no
ResultActive=no
This should prevent those actions from completing. More information on these policy files can be found by running man pklocalauthority.
If you are trying to restrict root though, this will only be a minor inconvenience. By definition, root is an unrestricted account according to the traditional UNIX discretionary access control system. If you can't trust users you've given full root access to, then you've got bigger problems than them just shutting down the system.
Note that in later Ubuntu versions somebody decided to break compatibility. As answered in How to disable shutdown/reboot from lightdm in 14.04? the action seems to have changed to "org.freedesktop.login1.reboot" (and the-like).
For example in 14.04 adding the following lines as /etc/polkit-1/localauthority/50-local.d/restrict-login-powermgmt.pkla works:
[Disable lightdm PowerMgmt]
Identity=unix-user:*
Action=org.freedesktop.login1.reboot;org.freedesktop.login1.reboot-multiple-sessions;org.freedesktop.login1.power-off;org.freedesktop.login1.power-off-multiple-sessions;org.freedesktop.login1.suspend;org.freedesktop.login1.suspend-multiple-sessions;org.freedesktop.login1.hibernate;org.freedesktop.login1.hibernate-multiple-sessions
ResultAny=no
ResultInactive=no
ResultActive=no
In addition note that this method block solely reboot/etc commands issued from GUI. To block reboot/etc commands from command line one may use molly-guard - as explained in Disabling shutdown command for all users, even root - consequences?
I would try the following .pkla
[First disable all users]
Identity=unix-user:*
Action=*
ResultActive=no
ResultInactive=no
ResultAny=no
[Then enable wheel group]
Identity=unix-group:wheel
Action=*
ResultActive=auth_admin
ResultInactive=no
ResultAny=no
in conjunction with a modification of the AdminIdentities, configured in a file under /etc/polkit-1/localauthority.conf.d/.
I have the following two files
50-localauthority.conf
[Configuration]
AdminIdentities=unix-user:0
and
51-ubuntu-admin.conf
[Configuration]
AdminIdentities=unix-group:sudo;unix-group:admin
The second one override the first, and force to use sudo (and the old admin) group. Remove the second file and you are leaved with a root password request.
Best Answer
I think I've found the cause: the action seems to have changed to "org.freedesktop.login1.reboot" (and the-like).
Adding the following lines as
/etc/polkit-1/localauthority/50-local.d/restrict-login-powermgmt.pklaworks:You still see a confirmation dialog but there are not buttons to confirm. Looks ugly, but works ;)
Unfortunately this applies to all users, not only the lightdm session, so you have to add a second rule to white-list them if desired.
Note that this method block solely reboot/etc commands issued from GUI. To block reboot/etc commands from command line one may use molly-guard - as explained in Disabling shutdown command for all users, even root - consequences?