If I'm using Ubuntu 11.04, how can I configure it such that that only two users can shut down/suspend/hibernate my PC: the root user and one regular user?
Ubuntu – How to set that only root + a given user can shut down the pc
linuxSecurityshutdownUbuntu
Related Solutions
The hardware power button triggers an ACPI event that acpid
(the ACPI daemon) notices and reacts to; in this case by shutting down the system, although you could have it do whatever you want. The ACPI daemon runs as root, so it has permission to shutdown the system. Desktop environments (e.g. gdm
for Gnome) typically run as root as well, so I suspect they work the same way -- you don't have permission to shutdown the system, but you can tell gdm
you want it shut down and it can do it on your behalf
There seems to be no way to log this data to a file. For the boot process, there is the bootlogd
package which creates the file /var/log/boot
, but nothing for the shutdown/reboot process. As far as I can see there is no way to log with rsyslog
either, and even if there was, there are messages printed after rsyslog
is stopped. Part of my shutdown/reboot process is to remount the rootfs readonly and umount everything else, after this logging to a file that will still be there at the next boot is virtually impossible.
The easiest way I can see to view the messages is to edit the /etc/init.d/halt
and/or /etc/init.d/reboot
scripts to pause just before the actual halt
/reboot
. For the halt
script, run the command sudoedit /etc/init.d/halt
(or use a GUI editor) and look for the line that does the actual halt. For me this is the line:
halt -d -f $netdown $poweroff $hddown
Otherwise it should be at the end of the do_stop
function and the only line that calls the halt
command. Once you find the line, just insert a new line above with the following:
read -p "Press enter to halt" reply
Save the file and exit. Now when you shutdown, the system will pause until you press enter (or CTRL-C, CTRL-D, etc). You can the read the messages printed on the screen. If there is more than a single screenful of text, you can see terminal scrollback by pressing Shift+PgUp
. If this is still not enough, there are ways to increase the size of the scrollback buffer (perhaps a different question though).
To do the same when the system reboots, you have to edit the /etc/init.d/reboot
file. The command used here is of course reboot
as opposed to halt
and should again be at the end of the do_stop
function. For me the line is:
reboot -d -f -i
Again just insert the following on a new line above:
read -p "Press enter to reboot" reply
Note also that these files are listed as conffiles for the initscripts
package. These edits won't be clobbered by default when the packages is upgraded, although they will cause a conflict.
A more complete solution would be to use the following script:
#! /bin/sh
### BEGIN INIT INFO
# Provides: pause_hook
# Required-Start:
# Required-Stop: halt reboot
# Default-Start:
# Default-Stop: 0 6
# X-Stop-After: umountroot
# X-Interactive: true
# Short-Description: Pause before halt or reboot
# Description:
### END INIT INFO
do_stop () {
[ -r /etc/pause_hook.conf ] && . /etc/pause_hook.conf
[ "$PAUSE_HOOK_ENABLED" = true ] && read -p "Press enter to continue" reply
}
case "$1" in
start)
# No-op
;;
restart|reload|force-reload)
echo "Error: argument '$1' not supported" >&2
exit 3
;;
stop)
do_stop
;;
*)
echo "Usage: $0 start|stop" >&2
exit 3
;;
esac
This should be placed in /etc/init.d/pause_hook
and can be enabled to run at shutdown/reboot with the following command:
sudo update-rc.d pause_hook defaults
To then enable the actual hook, create the files /etc/pause_hook.conf
containing the line:
PAUSE_HOOK_ENABLED=true
The shutdown/reboot process should now pause just before the halt
or reboot
script is called, giving time to view the messages. It can also be easily disabled/re-enabled by commenting/uncommmenting the enable line in /etc/pause_hook.conf
. There will also be no dpkg
conffile conflicts during upgrades this way.
Best Answer
The
shutdown
binary will only work for the root user. The typical approach to this is to set up sudo rules to allow the user to execute shutdown as root. Assuming the user doesn't already have full sudo permissions (the first user on an Ubuntu desktop system does, for example) you might add the following line to /etc/sudoers (using thevisudo
utility, for safety):If you want them to be able to shut down without being prompted for their password, then add the NOPASSWD option, like this:
You can modify the way they can run shutdown by using wildcards or explicit declarations. For example
shutdown -h now
allows an immediate halt of the system, it will not reboot. You could allow-r
instead to reboot the system.After you configure sudoers, joe can run the following command to reboot the system:
As joe, you can run the following command to see what commands you have access to run using
sudo
: