On a traditional Unix system, non-root users cannot do this. What is it that gives users this ability in modern desktop environments and how would I go about disabling this on a per-user or per-group basis?
I've seen a great method to prevent anybody from shutting down/suspending, but ideally what I'm looking for is to prevent certain users (such as, by adding/removing them from a certain usergroup) from being able to execute a shutdown, restart, suspend.
As mentioned in the other question, you can control these actions via PolicyKit's local authority system.
If you create a file /etc/polkit-1/50-local.d/restrict-shutdown.pkla with content like:
[Disable shutdown/etc for group restricted]
Identity=unix-group:restricted
Action=org.freedesktop.consolekit.system.stop;org.freedesktop.consolekit.system.restart;org.freedesktop.upower.suspend;org.freedesktop.upower.hibernate
ResultAny=no
ResultInactive=no
ResultActive=no
This will prevent any member of the group restricted from performing the matched actions. Alternatively, if you want to restrict individual users, replace unix-group:restricted with unix-user:user1;unix-user:user2;.... Any user not matched by this policy should end up with the default behaviour.
Create and edit this file as root:
/etc/polkit-1/localauthority/50-local.d/power-management.pkla
Copy and paste the following:
[Disable shutdown/restart for users jim jane]
Identity=unix-user:jim;unix-user:jane
Action=org.freedesktop.login1.reboot;org.freedesktop.login1.reboot-multiple-sessions;org.freedesktop.login1.power-off;org.freedesktop.login1.power-off-multiple-sessions
ResultAny=no
ResultInactive=no
ResultActive=no
[Disable suspend/hibernate for users jim jane]
Identity=unix-user:a;unix-user:vvpinker
Action=org.freedesktop.login1.suspend;org.freedesktop.login1.suspend-multiple-sessions;org.freedesktop.login1.hibernate;org.freedesktop.login1.hibernate;org.freedesktop.login1.hibernate-multiple-sessions
ResultAny=no
ResultInactive=no
ResultActive=no
