Hello,
I'm trying to disable or just put an error message or ask for root password on a standard user when this one click on the red icon to stop the system.
I was looking for a trick into the Cinnamon configuration (to hide the icon), or use polkit configuration to do the job. But it was a total fail.
Is anyone could help to keep only root or a sudoers to shut down / reboot or hybernate a machine ?
Cheers
Standard User : Deactivate halt / reboot / hibernate
Forum rules
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
Standard User : Deactivate halt / reboot / hibernate
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 1 time in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
- powerwagon75
- Level 4
- Posts: 339
- Joined: Sun Feb 28, 2016 4:05 pm
- Location: USA
Re: Standard User : Deactivate halt / reboot / hibernate
These are in the directory and file below. I don’t have them listed in any particular order, you’ll have to find them inside the file by finding the action id= line.
In the three “allow” categories listed under each one, the line “allow_active>yes<allow_active” could be changed to “allow_active>auth_admin<allow_active”. This is supposed to make the system ask for authentication every time..(it’s looking for an admin name, not a standard user) Halt should already be dis-allowed to standard user, as it requires an admin level authorization for active users.
These should work. If not, revert them back to their previous state, as something must be involved in the process as well.
Be advised, though, everyone, including admin, is going to see the authentication pop-up every time one of those actions are requested.
And as always, copy the file to a org.freedesktop.login1.policy.bak backup file before editing, just in case something goes wrong.
When set the way you want, log out, and have a standard user login and try.
In the three “allow” categories listed under each one, the line “allow_active>yes<allow_active” could be changed to “allow_active>auth_admin<allow_active”. This is supposed to make the system ask for authentication every time..(it’s looking for an admin name, not a standard user) Halt should already be dis-allowed to standard user, as it requires an admin level authorization for active users.
These should work. If not, revert them back to their previous state, as something must be involved in the process as well.
Be advised, though, everyone, including admin, is going to see the authentication pop-up every time one of those actions are requested.
And as always, copy the file to a org.freedesktop.login1.policy.bak backup file before editing, just in case something goes wrong.
When set the way you want, log out, and have a standard user login and try.
Code: Select all
---------------------------------------
Directory: /usr/share/polkit-1/actions
---------------------------------------
File: org.freedesktop.login1.policy
————————————————————————————-—————————-
<action id="org.freedesktop.login1.suspend">
<description gettext-domain="systemd">Suspend the system</description>
<message gettext-domain="systemd">Authentication is required to suspend the system.</message>
<defaults>
<allow_any>auth_admin_keep</allow_any>
<allow_inactive>auth_admin_keep</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
</action>
<action id="org.freedesktop.login1.hibernate">
<description gettext-domain="systemd">Hibernate the system</description>
<message gettext-domain="systemd">Authentication is required to hibernate the system.</message>
<defaults>
<allow_any>auth_admin_keep</allow_any>
<allow_inactive>auth_admin_keep</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
</action>
<action id="org.freedesktop.login1.power-off">
<description gettext-domain="systemd">Power off the system</description>
<message gettext-domain="systemd">Authentication is required to power off the system.</message>
<defaults>
<allow_any>auth_admin_keep</allow_any>
<allow_inactive>auth_admin_keep</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.imply">org.freedesktop.login1.set-wall-message</annotate>
</action>
<action id="org.freedesktop.login1.halt">
<description gettext-domain="systemd">Halt the system</description>
<message gettext-domain="systemd">Authentication is required to halt the system.</message>
<defaults>
<allow_any>auth_admin_keep</allow_any>
<allow_inactive>auth_admin_keep</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.imply">org.freedesktop.login1.set-wall-message</annotate>
</action>
Custom Antec Outside tower w/Mint 20.2
HP lap w/Mint 20.3
Optiplex 960 "Frankenbox" w/Fedora 39/Mint 19.2/Mint 20.2
Advantech TPC-1551T w/LinuxLite
Acer C720 Chromebook w/GalliumOS
Mac PPC G4 w/Lubuntu
Re: Standard User : Deactivate halt / reboot / hibernate
Thank you for your help, I will try all this next week
Cheers
Cheers
- Larry78723
- Level 14
- Posts: 5476
- Joined: Wed Jan 09, 2019 7:01 pm
- Location: Jasper County, SC, USA
Re: Standard User : Deactivate halt / reboot / hibernate
I don't think changes to polkit will prevent a standard user from opening a terminal and entering the command
shutdown now
to shutdown immediately or shutdown -r
to reboot.If you have found the solution to your initial post, please open your original post, click on the pencil, and add (Solved) to the Subject, it helps other users looking for help, and keeps the forum clean.
- powerwagon75
- Level 4
- Posts: 339
- Joined: Sun Feb 28, 2016 4:05 pm
- Location: USA
Re: Standard User : Deactivate halt / reboot / hibernate
Larry 78723,
Indeed you are correct. I am working on trying to get this to work on my frankenbox machine..more to it than meets the eye. As for what I have learned up to this moment, is likely have to figure out how to restrict for GUI button selections, and CLI in terminal, separately. I tried a couple of different things I found regarding policy and nothing has worked yet.
TuXxl,
I do apologize, Larry is correct. The actions I posted above will not prevent these actions from happening. Still looking in to this though.
Indeed you are correct. I am working on trying to get this to work on my frankenbox machine..more to it than meets the eye. As for what I have learned up to this moment, is likely have to figure out how to restrict for GUI button selections, and CLI in terminal, separately. I tried a couple of different things I found regarding policy and nothing has worked yet.
TuXxl,
I do apologize, Larry is correct. The actions I posted above will not prevent these actions from happening. Still looking in to this though.
Custom Antec Outside tower w/Mint 20.2
HP lap w/Mint 20.3
Optiplex 960 "Frankenbox" w/Fedora 39/Mint 19.2/Mint 20.2
Advantech TPC-1551T w/LinuxLite
Acer C720 Chromebook w/GalliumOS
Mac PPC G4 w/Lubuntu
Re: Standard User : Deactivate halt / reboot / hibernate
After searching... And searching...
I have success with command line with some instructions into /etc/sudoers file.
In the graphical part, I have no idea how to remove these buttons. Perhaps using another desktop environment ?
Tried with Manjaro & Kde. Same thing lol !
Apparently, an extension is available for gnome-shell in Ubuntu. Button stay, but nothing happend when you push it.
Cheers
I have success with command line with some instructions into /etc/sudoers file.
In the graphical part, I have no idea how to remove these buttons. Perhaps using another desktop environment ?
Tried with Manjaro & Kde. Same thing lol !
Apparently, an extension is available for gnome-shell in Ubuntu. Button stay, but nothing happend when you push it.
Cheers