Make reboot work only with sudo

Question

I have a laptop with Ubuntu 16.06. I am able to execute reboot command as a non-root user without sudo. How can I change this behaviour so that I am not able to run reboot without sudo? I tried checking where reboot actually points:

user:~$ which reboot
/sbin/reboot
user:/sbin$ ls -l reboot
reboot -> /bin/systemctl

But I do not know how to change systemctl behaviour.

post results for ls -l /bin/systemctl it is probably in a group with the bit suid active for your personal user. — Luciano Andress Martini, Aug 01 '17 at 14:24
user:/sbin$ ls -l /bin/systemctl returns -rwxr-xr-x 1 root root 659848 feb 15 16:11 /bin/systemctl — Mikhail, Aug 01 '17 at 14:31
Try that: chmod o-x /bin/systemctl and guarantee your user are not in the group root. — Luciano Andress Martini, Aug 01 '17 at 14:41
@LucianoAndressMartini this will work, so I would use this for now, but on my other machine when I type reboot I get reboot: Need to be root and permissions on reboot are exactly the same. — Mikhail, Aug 01 '17 at 14:50
I think it is related to the configuration on /usr/share/polkit-1/actions/org.freedesktop.login1.policy take a look on that article http://winaero.com/blog/how-to-enable-shutdown-and-reboot-for-a-normal-user-in-debian-jessie/ (i think you can do the reverse) — Luciano Andress Martini, Aug 01 '17 at 14:58

score 5 · Answer 1 · edited Aug 02 '17 at 13:07

5

This is not a matter of changing systemctl. That is a red herring. systemctl queries the "Policy Kit" to determine whether a particular user, logged on in particular way, is allowed to reboot the system. You need to change, in Policy Kit, who is permitted to run the org.freedesktop.login1.reboot action. You probably want to change the rules for the three classes of log-on from yes to auth_admin (or auth_admin_keep).

Could you expand in your answer on how exactly should I change the rules for the three classes? I have visited all three links you provided, but there is no explanation or examples of how actually do what I want. – Mikhail Aug 03 '17 at 08:36
I can't believe how complicated it is to configure the system to disallow non-root users from being able to reboot or shutdown. – Michael Burr Sep 05 '20 at 11:33

score 0 · Answer 2 · answered Mar 23 '18 at 05:13

0

My trick is to add the following alias in the .bashrc

alias reboot='echo "Your account is not allowed to run the reboot command without sudo"'

answered Mar 23 '18 at 05:13

Jay

11

1

This easy solution worked for me. Note: I am not trying to make it impossible to run reboot for security reasons, simply I like to accidentally type reboot and lose all my work without expecting it! – benathon Jul 03 '20 at 06:03

Make reboot work only with sudo

2 Answers2

Further reading