Ubuntu – How to make /sbin/shutdown, /sbin/reboot etc. require sudo again in 16.04


For whatever reason, we do no longer need to be root (or using sudo) to run /sbin/shutdown, /sbin/reboot etc.

This seems to be because those executables are now symlinks to /bin/systemctl which handles everything as normal user.

However, what if I want shutdown and reboot to require root authentication again? How can I achieve this?

Best Answer

Systemd does indeed handle the shutdown, reboot and other commands, and the default privileges assigned are permissive. To change this, you need to create a Polkit rule. Create a .pkla file in /etc/polkit-1/localauthority/50-local.d (say, confirm-shutdown.pkla) containing:

[Confirm shutdown]

The various shutdown, reboot, etc. commands are, in Polkit terms, actions in org.freedesktop.login1, for example, org.freedesktop.login1.power-off, org.freedesktop.login1.reboot, etc. The specific problem here is the default configuration, which is in /usr/share/polkit-1/actions/org.freedesktop.login1.policy:

<action id="org.freedesktop.login1.power-off">
        <description>Power off the system</description>

Note that it allows the active user to power off, reboot, etc.

Related Question