Is there any way to prevent non-root users from rebooting the system?

This question seems to be addressed many times on the web, but the problem is that none of the wannabe-howtos work on my system. In particular, this doesn't work and this doesn't work either, because (1) I need to keep policykit installed for udisks and other dependencies to function and (2) renaming (or removing) the file /usr/share/polkit-1/actions/org.freedesktop.login1.policy has (again) no effect on the users' ability to reboot and shut down the system. Even more surprisingly, adding the following to /etc/polkit-1/rules.d/20-disable-shutdown.rules has no effect at all:
polkit.addRule(function(action, subject) {
if (
action.id == "org.freedesktop.login1.power-off" ||
action.id == "org.freedesktop.login1.reboot" ||
action.id == "org.freedesktop.login1.suspend" ||
action.id == "org.freedesktop.upower.suspend" ||
action.id == "org.freedesktop.login1.hibernate" ||
action.id == "org.freedesktop.upower.hibernate"
return polkit.Result.NO;
As a result, ordinary users (not in the wheel group and with no special permissions) can simply reboot the machine by typing reboot. I remember that a simple polkit rule (as proposed on the Fedora forum) worked fine just a few months ago, but this doesn't work nowadays. The action IDs mentioned there are no longer listed in pkaction, so it's quite obvious that some changes (and bugs) have been introduced since then. I just need to prevent the users from rebooting the machine and to keep policykit installed. Is there any way to do this?

karol wrote:Do said users have the ability to push the Power or Reset buttons?
No, they don't.
But come on, access permissions are a matter of principle rather than a matter of what you can possibly do with a hammer in your hand. That makes your question somewhat irrelevant to this issue. Imagine someone asking: "How can I protect my home directory from access by other users?" You would then probably ask: "Do said users have the ability to pull out the hard drive and mount it on their computer?"
Even if the users had physical access to the ACPI buttons, rebooting the computer by mistake (via software) would still be much more likely than pressing (or even holding) the ACPI buttons by mistake.
If I call rm -Rf / as a normal user, nothing should happen to the system in terms of availability to other users. Only my home directory and temporary files would vanish, but that's all. This is what permissions are there for. Similarly, when I type reboot as a normal user (no matter if I'm on SSH, on a local terminal or logged into KDE), it should be possible to simply disallow rebooting.
The idea that users logged in locally can restart the computer may be fine for laptops under certain conditions, but it is a bad idea in almost all other cases. In a "kiosk" type environment, for example, the ability to reboot and get to the bootloader can be a huge security hole, unless all your disks are encrypted, and a huge "reliability hole" in any case. Suppose you use a desktop as a home server. You want everyone to be able to log in and to connect a USB flash drive (using polkit and udisks). But you simply don't want the machine to be rebooted. Why is such a simple thing so hard to do?
Last edited by andrej.podzimek (2014-03-10 02:15:35)

Similar Messages

  • Is there any way to prevent non-admin user accounts to receive software update prompts?

    I am the admin account user on our MacBook Pro, and there is one standard user account on it as well. Generally we are both logged on so we can quickly switch between user accounts and 'spin the desktop'.
    For some reason, all the software update notifications seem to be received when the standard user account is the active one.
    I know that the standard user cannot actually update without my account password and my Apple ID, but a) The notifications confuse the non-admin user, and she gets flustered, and b) Even if she manages to cancel them from the notification area, she then has to remember to tell me verbally that she had had one.
    Is there any way to stop her receiving the update notifications altogether?
    Running OS X 10.8.2 on MacBook Pro.
    Thanks in advance.

    You should be able to do this by unchecking the software update service in the system preferences to prevent the system from running the check as the "_softwareupate" user and passing it to the notification service that broadcasts to all user accounts. Then you can check for the software update in an admin account using the following Terminal line:
    /System/Library/CoreServices/Software Update.app/Contents/Resources/SoftwareUpdateCheck -Check YES
    This line can be scripted via Terminal services to run on a schedule (ie, every few hours), and if there are found updates it will launch the App Store for that account and present them. Granted this approach circumvents the notification service, but should work. To try this, open TextEdit on your computer and in a new document choose "Make Plain Text" from the Format menu.
    Then copy and paste the following text into the new document:
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
              <key>Label</key>
              <string>local.softwareupdatecheck</string>
              <key>ProgramArguments</key>
              <array>
                        <string>/System/Library/CoreServices/Software Update.app/Contents/Resources/SoftwareUpdateCheck</string>
                        <string>-Check</string>
                        <string>YES</string>
              </array>
              <key>StartInterval</key>
              <integer>21600</integer>
    </dict>
    </plist>
    When done, save the document to your desktop as "softwareupdatecheck.plist" or anything as long as it ends with ".plist." Then get information on the file in the Finder to ensure its name ends with plist and not anything else like "plist.txt" (rename it accordingly in the Info window's "Name & Extension" section.
    With the file name appropriate, hold the Option key and choose the "Library" option in the Finder's "Go" menu. Then locate the folder called "Launch Agents" in the library and drag the text file to this folder. Then log out and log back into your account.
    This text file is a launch agent script that instructs the system to run the program arguments every 21600 seconds (6 hours) whenever the user is logged in. The program arguments here are simply those to check for software updates for the system. You can change this time interval to be any number of seconds you would like, but there are other options to use besides the "StartInterval" key for scheduling the task. This approach simply has it repeat every number of seconds, but you can use other options to have it only run on specific hours or days, or only have it run once when you log in, etc.
    If this works for you, then if you'd like to explore these other options write back here and we can go over them for you.

  • Is there a way to prevent an end-user from changing their own password?

    All you guru's out there, I need your help. Is there a way to prevent an end-user from changing their own password? Is there a function or procedure I can create or what?

    In this case, you do not want someone (whoever they are DBA etc) to connect as that
    particuler user to change the password.Yes, but I wouldn't expect the users to[i] know that password. The connnect would be handled automatically, behind the scenes.
    The clear implication of the OP's question and response was that users would not be allowed to change their own passwords. I'm guessing this is in response to a policy that says users mustn't have simple passwords like 123abc or mom. In such a scenario a better approach would be to apply regexp to a user's password to ensure it contains a mix of letters, numbers, punctuation, etc to achieve the desired level of complexity.
    So questions, should not be regarded as daft Agreed, but the same is unfortunately not always true of business decisions. As the OP has told us not to ask we cannot know why they want to do this. Personally, I think a user's individual password should always be their responsibility; anything else strikes me as insecure. YMMV.
    Cheers, APC

  • Is there any way to prevent my SSIS Tasks from reformatting themselves when I want to change the Name

    So all my tasks are nicely laid out in my SSIS Package. Now I want to go add a blurb to the Name to make it a little more descriptive. When I do that, Microsoft Visual Studio just automatically re-sizes the task so the entire description, name fits. When
    I make it the right size, my scripting name is wrapping and that's the way I want it to look within my Package. Is there any way to stop Microsoft Visual Studio from automagically adjusting the size of my task when I click on the Name to edit?
    Thanks for your review and am hopeful for a reply.

    There is no way. The designer canvas received improvements in SSIS ver 2012, but this specific aspect remain unchanged.
    What I do I simply use the Format -> Autolayout -> Diagram or you can also/instead Ctrl-A to select all and choose "make same size"
    Arthur
    MyBlog
    Twitter

  • Is there any way to prevent a wifi network from becoming known?

    Hi,
    I'm on mid 2010 Macbook Pro running OS X 10.9.4 and I can't figure out a way to prevent a certain wifi network from becoming known. My college's network requires an in browser sign up every time and once the network becomes known it gives me an SSL error until I remove it from the list of known networks and refresh. Not too painful, but definitely something I'd like to fix. The only post I could find about this was from 2007, so I wanted to see if anything had changed. Any ideas?

    In Network Preferences > Airport > Advanced, do the following:
    Delete the network from the saved list of wireless networks
    UNcheck "Remember networks this computer has joined"
    Also (and this is equally important), every time you join this particular network, be sure to UNcheck "Remember this network" in the sign-on dialog.

  • Is there a way to prevent a form user from paging up and down or scrolling through a form?

    I'm using Livecycle Designer 8.0.  I'm working on a registration form (it's set up like a survey).  As users respond to questions, they will be sent to the appropriate next page in the form.  In doing so, they will bypass certain pages.  However, if users decide to scroll through the document, or page up or down, it will take them to pages that will not be appropriate given their initial responses.  In some cases, it will appear that they are responding to the same question. 
    This was asked before and the answer seemed to be that this is not possible to do.  However, it's been a year or two since then.  It is my hope that the version I'm using now allows this.
    Thank you in advance for any help you can offer.

    In this case, you do not want someone (whoever they are DBA etc) to connect as that
    particuler user to change the password.Yes, but I wouldn't expect the users to[i] know that password. The connnect would be handled automatically, behind the scenes.
    The clear implication of the OP's question and response was that users would not be allowed to change their own passwords. I'm guessing this is in response to a policy that says users mustn't have simple passwords like 123abc or mom. In such a scenario a better approach would be to apply regexp to a user's password to ensure it contains a mix of letters, numbers, punctuation, etc to achieve the desired level of complexity.
    So questions, should not be regarded as daft Agreed, but the same is unfortunately not always true of business decisions. As the OP has told us not to ask we cannot know why they want to do this. Personally, I think a user's individual password should always be their responsibility; anything else strikes me as insecure. YMMV.
    Cheers, APC

  • Is there any way to prevent this javascript icon/link on bookmarks?

    Is there any way to prevent webvpn portal bookmarks from including this java-icon-link and thus preventing a user from using it's GO TO ADDRESS?
    (WEBACL does not seem to prevent these Go To Address addresses...)

    You can use the following APCF to disable the floating toolbar.  The example below will apply to any URL but you can modify the wildcard to be a more specific value to suit your needs.
    1.0
    Disable WebVPN toolbar for all sites
    http://www.cisco.com/en/US/customer/docs/security/asa/asa80/configuration/guide/webvpn.html#wp1046654
    Todd

  • Is there any way to prevent fields from being overwritten when importing data via xdp-file?

    In an pdf-form designed with LCD everytime the form gets merged with an xdp-datafile content of all fields get overwritten, regardless which data-binding (normal, global, none) is assigned to the fields and regardless if the fields are exluded in the xdp-datafile. Is this normal behavior and is there any way to prevent fields from being overwritten?

    The xdp-file is first exported from Acrobat Professional 8 (export data as *.xdp) to get the complete structure. Then in the xdp-file some fields are removed manually and other fields are filled with data. When the modified xdp-file is opened again with Acrobat Professional 8 it grabs the original pdf-form and merges the manually filled fields into the form. With the merge all other fields in the form are overwritten, even if they are not defined in the xdp-file. And that is what I want to avoid. I want to merge the xdp-file into the form and keep the data in fields not defined in the xdp-file.

  • Is there any way to prevent the OS from querying the Superdrive when start

    Just a random question. Whenever my MacBook Pro starts up (either from sleep or a complete/fresh start, the OS queries the drive slot to see if there is a disc present. While this may be normal behavior, it seems to slow down the start up process. (I rarely ever have a disc in the drive). Just curious if this, in fact, normal, or if there's something awry.

    Is there any way to prevent the OS from querying the Superdrive when start
    No
    he OS queries the drive slot to see if there is a disc present.
    How can you tell? Based on the noise it makes?

  • I'm trying to add a playlist manually to my iPhone 4. It won't let me because it's trying to delete all of the music currently on my iPhone. Is there any way to prevent this from happening in order to start manually updating it?

    I'm trying to add a playlist manually to my iPhone 4. It won't let me because it's trying to delete all of the music currently on my iPhone. Is there any way to prevent this from happening in order to start manually updating it?

    Are you leaving the box unchecked to Manually manage music & videos? You don't need to to add anything to the iPhone.
    Simply drag the playlist to the iPhone to manually add it.

  • Is there any way to prevent or clean finger grease stains in your keyboard?

    As all of you might know, the body releases toxins (including body grease) through our fingers, and i notice even though im a clean person and i clean my macbook often i get some stains in the keys i ust the most, that being the command key, spacebar plus the whole asdf jkl; line of th ekeyaboard, how can i get them off!?

    Is there any way to prevent...grease stains in your keyboard?
    wear gloves?
    how can i get them off!?
    Try a Mr. Clean Magic Eraser

  • Is there any way to prevent the copying of text from Presenter's Notes tab?

    PowerPoint Notes Page text exposed on a Presenter Notes tab can be selected and copied from the Notes tab and then pasted into any text document. Is there any way to prevent the copying of text short of not providing notes text at all?

    Hi Robingo,
    Excel is strictly treated as a data source and Siena only imports the data in your tables, not the formatting.
    If there is some business logic behind the formatting, you could mimic the same logic in Siena. For example, the font is bold or red if a value is in a certain range, the font is in italics if the data is for a specific customer, etc.
    Thanks
    Robin

  • In Mail, is there any way to prevent the ampersand 20 symbol in downloaded attachments?

    Long title, but as it suggests, every time I download an attachment in Mail that has a space in the title, Mail puts in %20 to replace the space (ascii symbol for space).  I'd like to prevent this and have attachments stored under the name they are sent.  Any way to do this?

    Is there any way to prevent the OS from querying the Superdrive when start
    No
    he OS queries the drive slot to see if there is a disc present.
    How can you tell? Based on the noise it makes?

  • Is there any way to prevent opening the lid from waking my MBP?

    Hi,
    I have a problem with my screen on my MBP such that when the computer is asleep in its case the lid often comes ajar, wakes the computer, and drains the battery. Is there any way to prevent the lid opening from waking the computer?
    Thanks for any ideas on how to fix this.

    Option 3: Open Applications > Terminal and type sudo pmset lidwake 0 (you'll be prompted to enter your admin password). To revert to wake on lid open, use the Terminal command sudo pmset lidwake 1.

  • Is there any way to prevent excess rows from being added to a table on the front panel?

    Whenever I programmatically add rows through a property node I can still go into the front panel and keep adding additional rows through the table. Is there any way to prevent this "excess scrolling"? Maybe grey out the rows or something? 
    At least I have chicken

    Hello Labviewleroy,
    You should be able to right click on the table on the front panel and select
    Visible Items>>Horizontal Scrollbar or Vertical Scrollbar
    You could also consider changing their visibility programmatically using a property node for the control or indicator that you are referencing. You can create the property node by right clicking on the control on the block diagram and selecting
    Create>>Property Node>>Visible Items>>Horizontal Scrollbar or Vertical Scrollbar
    Cheers,
    -Joel
    Motion PSE
    National Instruments

Maybe you are looking for