Standard User : Deactivate halt / reboot / hibernate

[TuXxL]

Hello,

I'm trying to disable or just put an error message or ask for root password on a standard user when this one click on the red icon to stop the system.
I was looking for a trick into the Cinnamon configuration (to hide the icon), or use polkit configuration to do the job. But it was a total fail.

Is anyone could help to keep only root or a sudoers to shut down / reboot or hybernate a machine ?

Cheers

[powerwagon75]

These are in the directory and file below. I don’t have them listed in any particular order, you’ll have to find them inside the file by finding the action id= line.

In the three “allow” categories listed under each one, the line “allow_active>yes<allow_active” could be changed to “allow_active>auth_admin<allow_active”. This is supposed to make the system ask for authentication every time..(it’s looking for an admin name, not a standard user) Halt should already be dis-allowed to standard user, as it requires an admin level authorization for active users.

These should work. If not, revert them back to their previous state, as something must be involved in the process as well.

Be advised, though, everyone, including admin, is going to see the authentication pop-up every time one of those actions are requested.

And as always, copy the file to a org.freedesktop.login1.policy.bak backup file before editing, just in case something goes wrong.

When set the way you want, log out, and have a standard user login and try.

Code: Select all

 
---------------------------------------
Directory:  /usr/share/polkit-1/actions
---------------------------------------
File: org.freedesktop.login1.policy
————————————————————————————-—————————-

        <action id="org.freedesktop.login1.suspend">
                <description gettext-domain="systemd">Suspend the system</description>
                <message gettext-domain="systemd">Authentication is required to suspend the system.</message>
                <defaults>
                        <allow_any>auth_admin_keep</allow_any>
                        <allow_inactive>auth_admin_keep</allow_inactive>
                        <allow_active>yes</allow_active>
                </defaults>
        </action>

        

        <action id="org.freedesktop.login1.hibernate">
                <description gettext-domain="systemd">Hibernate the system</description>
                <message gettext-domain="systemd">Authentication is required to hibernate the system.</message>
                <defaults>
                        <allow_any>auth_admin_keep</allow_any>
                        <allow_inactive>auth_admin_keep</allow_inactive>
                        <allow_active>yes</allow_active>
                </defaults>
        </action>


        <action id="org.freedesktop.login1.power-off">
                <description gettext-domain="systemd">Power off the system</description>
                <message gettext-domain="systemd">Authentication is required to power off the system.</message>
                <defaults>
                        <allow_any>auth_admin_keep</allow_any>
                        <allow_inactive>auth_admin_keep</allow_inactive>
                        <allow_active>yes</allow_active>
                </defaults>
                <annotate key="org.freedesktop.policykit.imply">org.freedesktop.login1.set-wall-message</annotate>
        </action>
        
        
            <action id="org.freedesktop.login1.halt">
                <description gettext-domain="systemd">Halt the system</description>
                <message gettext-domain="systemd">Authentication is required to halt the system.</message>
                <defaults>
                        <allow_any>auth_admin_keep</allow_any>
                        <allow_inactive>auth_admin_keep</allow_inactive>
                        <allow_active>auth_admin_keep</allow_active>
                </defaults>
                <annotate key="org.freedesktop.policykit.imply">org.freedesktop.login1.set-wall-message</annotate>
        </action>
                        
                       

[TuXxL]

Thank you for your help, I will try all this next week

Cheers

[Larry78723]

I don't think changes to polkit will prevent a standard user from opening a terminal and entering the command shutdown now to shutdown immediately or shutdown -r to reboot.

[powerwagon75]

Larry 78723,

Indeed you are correct. I am working on trying to get this to work on my frankenbox machine..more to it than meets the eye. As for what I have learned up to this moment, is likely have to figure out how to restrict for GUI button selections, and CLI in terminal, separately. I tried a couple of different things I found regarding policy and nothing has worked yet.

TuXxl,

I do apologize, Larry is correct. The actions I posted above will not prevent these actions from happening. Still looking in to this though.

[TuXxL]

After searching... And searching...

I have success with command line with some instructions into /etc/sudoers file.

In the graphical part, I have no idea how to remove these buttons. Perhaps using another desktop environment ?
Tried with Manjaro & Kde. Same thing lol !

Apparently, an extension is available for gnome-shell in Ubuntu. Button stay, but nothing happend when you push it.

Cheers