Ubuntu – How to set that only root + a given user can shut down the pc

The hardware power button triggers an ACPI event that acpid (the ACPI daemon) notices and reacts to; in this case by shutting down the system, although you could have it do whatever you want. The ACPI daemon runs as root, so it has permission to shutdown the system. Desktop environments (e.g. gdm for Gnome) typically run as root as well, so I suspect they work the same way -- you don't have permission to shutdown the system, but you can tell gdm you want it shut down and it can do it on your behalf

There seems to be no way to log this data to a file. For the boot process, there is the bootlogd package which creates the file /var/log/boot, but nothing for the shutdown/reboot process. As far as I can see there is no way to log with rsyslog either, and even if there was, there are messages printed after rsyslog is stopped. Part of my shutdown/reboot process is to remount the rootfs readonly and umount everything else, after this logging to a file that will still be there at the next boot is virtually impossible.

The easiest way I can see to view the messages is to edit the /etc/init.d/halt and/or /etc/init.d/reboot scripts to pause just before the actual halt/reboot. For the halt script, run the command sudoedit /etc/init.d/halt (or use a GUI editor) and look for the line that does the actual halt. For me this is the line:

halt -d -f $netdown $poweroff $hddown

Otherwise it should be at the end of the do_stop function and the only line that calls the halt command. Once you find the line, just insert a new line above with the following:

read -p "Press enter to halt" reply

Save the file and exit. Now when you shutdown, the system will pause until you press enter (or CTRL-C, CTRL-D, etc). You can the read the messages printed on the screen. If there is more than a single screenful of text, you can see terminal scrollback by pressing Shift+PgUp. If this is still not enough, there are ways to increase the size of the scrollback buffer (perhaps a different question though).

To do the same when the system reboots, you have to edit the /etc/init.d/reboot file. The command used here is of course reboot as opposed to halt and should again be at the end of the do_stop function. For me the line is:

reboot -d -f -i

Again just insert the following on a new line above:

read -p "Press enter to reboot" reply

Note also that these files are listed as conffiles for the initscripts package. These edits won't be clobbered by default when the packages is upgraded, although they will cause a conflict.

A more complete solution would be to use the following script:

#! /bin/sh
### BEGIN INIT INFO
# Provides:          pause_hook
# Required-Start:
# Required-Stop:     halt reboot
# Default-Start:
# Default-Stop:      0 6
# X-Stop-After:      umountroot
# X-Interactive:     true
# Short-Description: Pause before halt or reboot
# Description:
### END INIT INFO

do_stop () {
    [ -r /etc/pause_hook.conf ] && . /etc/pause_hook.conf

    [ "$PAUSE_HOOK_ENABLED" = true ] && read -p "Press enter to continue" reply
}

case "$1" in
    start)
        # No-op
        ;;
    restart|reload|force-reload)
        echo "Error: argument '$1' not supported" >&2
        exit 3
        ;;
    stop)
        do_stop
        ;;
    *)
        echo "Usage: $0 start|stop" >&2
        exit 3
        ;;
esac

This should be placed in /etc/init.d/pause_hook and can be enabled to run at shutdown/reboot with the following command:

sudo update-rc.d pause_hook defaults

To then enable the actual hook, create the files /etc/pause_hook.conf containing the line:

PAUSE_HOOK_ENABLED=true

The shutdown/reboot process should now pause just before the halt or reboot script is called, giving time to view the messages. It can also be easily disabled/re-enabled by commenting/uncommmenting the enable line in /etc/pause_hook.conf. There will also be no dpkg conffile conflicts during upgrades this way.