6

I've a group of Ubuntu Trusty desktop PCs in my office, and usually I ssh to them and install updates remotely from the command line. Unfortunately, sometimes local users decide to shutdown those PCs, breaking the update process.

I'd like to prevent those users to shutdown, reboot or suspend their PCs when there's an SSH session active. How can I do it?

I've tried molly-guard, but doesn't prevent GUI users from shutting down the system (it doesn't seem to affect GUI users).
I've seen also this question, but didn't understand if it's applicable also to Ubuntu 14.04 LTS or not (and I'm not sure how to apply it):
disable shutdown/suspend if there is other user logged in via ssh

Community
  • 1
gerlos
  • 2,774

1 Answers1

7

This could be done using a PolKit policy, if you have admin privileges.

Create a .pkla file in /etc/polkit-1/localauthority/50-local.d (say disable-shutdown.pkla), containing:

[Disable Shutdown, etc.]
Identity=unix-user:*
Action=org.freedesktop.login1.reboot-multiple-sessions;org.freedesktop.login1.power-off-multiple-sessions;org.freedesktop.login1.suspend-multiple-sessions;org.freedesktop.login1.hibernate-multiple-sessions
ResultAny=no
ResultInactive=no
ResultActive=no

The -multiple-sessions part is for when multiple users are logged in - there are similar actions without that suffix. This disables these actions from the GUI, as far as I can tell.

Note that this method only blocks reboot, etc., commands issued from GUI. To block reboot, etc., commands from command line, one may use molly-guard - as explained in Disabling shutdown command for all users, even root - consequences?

Community
  • 1
muru
  • 197,895
  • 55
  • 485
  • 740
  • 1
    Easy and effective, this solves my problem, many thanks! One remark: with this configuration, I've seen that regular, non-administrative users can't shutdown or reboot the system when I'm connected via SSH, but nothing prevents my privileged user to shutdown/reboot/etc the system (and there are no warnings about other users connected). This isn't a problem for me, since I'm the only administrator of those PCs. – gerlos Jan 07 '15 at 15:53
  • @gerlos Via the GUI or via sudo shutdown? – muru Jan 07 '15 at 15:56
  • Via the shutdown item in top left menu in the GUI (didn't try via cli). – gerlos Jan 07 '15 at 16:10
  • 1
    @gerlos Instead of no, if you use auth_admin, do you get a password prompt? – muru Jan 07 '15 at 16:12
  • No, using auth_admin nothing warns my privileged user about other users connected neither asks for a password. Only regular users get a warning and a prompt for an administrative password to continue. – gerlos Jan 07 '15 at 16:33
  • Also there's no warning when I run sudo reboot, even with molly-guard installed (not sure if this is intended or not, molly-guard works fine when trying to reboot from ssh sessions). – gerlos Jan 07 '15 at 16:37
  • Then I think you should unaccept the answer to attract more users (and perhaps edit your question to add these things too), since this is now beyond my level. I think it might be some relaxation of policy for local users (I mean, a local user can always pull the plug). – muru Jan 07 '15 at 16:40
  • @muru Although, now that I try it, it doesn't work for me. Contents of /etc/polkit-1/localauthority/50-local.d/restrict-shutdown.pkla are exactly what you have there, logged in via SSH, can still shut down via LightDM. Are there permissions I need to set on this file, or packages I need to install? – detly May 24 '15 at 05:54
  • @detly you're probably an admin - the OP says the admin user isn't restricted, only regular users are. – muru May 24 '15 at 05:55
  • @muru I don't think the LightDM login screen runs as an admin user though...? (Edit: just tried as non admin user, same thing. Shuts down.) – detly May 24 '15 at 05:55
  • @detly No, as far as I can remember. And it should be affected too - are multiple users logged in? – muru May 24 '15 at 05:57
  • @muru - Yep, one user is logged in via SSH. – detly May 24 '15 at 05:58