How to disable shutdown/reboot/suspend/hibernate?

Question

I have an Ubuntu 10.04 LTS Desktop PC with GNOME.

How can I fully disable the reboot/shutdown/suspend/hibernate functions in GNOME or even with root? So that the root gives out the "reboot" or "pm-suspend" command it doesn't do anything, and the machine goes on. How can I fully disable these basic "features"?

I dunno? As a kiosk? you just remove shutdown and pm-suspend from /sbin/ and /bin/ — Amith KK, Jan 07 '12 at 13:04
Those files could be in cache, no? Removing them will permanently disallow the reboot/shutdown/suspend/hibernation function even in GNOME? — LanceBaynes, Jan 07 '12 at 13:13

score 17 · Accepted Answer · edited Apr 13 '17 at 12:24

User access to these actions are controlled by polkit. In particular, they correspond to the following actions:

org.freedesktop.consolekit.system.stop
org.freedesktop.consolekit.system.restart
org.freedesktop.upower.suspend
org.freedesktop.upower.hibernate

All of these actions are allowed by default for active local users (although consolekit further restricts the first two permissions to only work when there is a single user logged into the system).

If you want to disable these actions create a file /etc/polkit-1/50-local.d/disable-shutdown.pkla containing something like:

[Disable shutdown/whatever]
Identity=unix-user:*
Action=org.freedesktop.consolekit.system.stop;org.freedesktop.consolekit.system.restart;org.freedesktop.upower.suspend;org.freedesktop.upower.hibernate
ResultAny=no
ResultInactive=no
ResultActive=no

This should prevent those actions from completing. More information on these policy files can be found by running man pklocalauthority.

If you are trying to restrict root though, this will only be a minor inconvenience. By definition, root is an unrestricted account according to the traditional UNIX discretionary access control system. If you can't trust users you've given full root access to, then you've got bigger problems than them just shutting down the system.

Note that in later Ubuntu versions somebody decided to break compatibility. As answered in How to disable shutdown/reboot from lightdm in 14.04? the action seems to have changed to "org.freedesktop.login1.reboot" (and the-like).

For example in 14.04 adding the following lines as /etc/polkit-1/localauthority/50-local.d/restrict-login-powermgmt.pkla works:

[Disable lightdm PowerMgmt]
Identity=unix-user:*
Action=org.freedesktop.login1.reboot;org.freedesktop.login1.reboot-multiple-sessions;org.freedesktop.login1.power-off;org.freedesktop.login1.power-off-multiple-sessions;org.freedesktop.login1.suspend;org.freedesktop.login1.suspend-multiple-sessions;org.freedesktop.login1.hibernate;org.freedesktop.login1.hibernate-multiple-sessions
ResultAny=no
ResultInactive=no
ResultActive=no

In addition note that this method block solely reboot/etc commands issued from GUI. To block reboot/etc commands from command line one may use molly-guard - as explained in Disabling shutdown command for all users, even root - consequences?

@GabrieleV Maybe version with login1 works in 13.10? I tested it in 14.04 - and hopefully nobody at Canonical breaks backward compatibility in polkit in every release for fun. — reducing activity, Apr 16 '16 at 15:04
As another data point, I just used this successfully on the new Ubuntu 18.04.1 LTS, to disallow shutdown and reboot (but allow hibernate and suspend). Note that I needed to use these 'login1' names; that I also disabled 'halt' and 'halt-multiple-sessions'; that I did that because I found those actions in /usr/share/polkit-1/actions/org.freedesktop.login1.policy; and finally, that in Ubuntu 18.04's gdm3 UI, the buttons in the confirmation dialog are not hidden, but they simply have no effect. — MarnixKlooster ReinstateMonica, Aug 07 '18 at 19:13

score 6 · Answer 2 · edited Apr 13 '17 at 12:25

6

Consider installing molly-guard.

sudo apt-get install molly-guard

This package will prevent unintended shutdown/reboot/suspend/hibernate by interactively prompting you to enter the hostname of the system.

However, it's trivial to configure molly-guard to completely disable shutdown/reboot/suspend/hibernate. Simply create an executable file at /etc/molly-guard/run.d/99-prevent-all that has this in it:

#!/bin/sh
exit 1

Note it protects only against commands issued from command line, shutdown/reboot/suspend/hibernate issued from GUI is bypassing it. To block also GUI using reboot one may use polkit rules.

edited Apr 13 '17 at 12:25

Community

1

answered Nov 21 '12 at 16:14

Dustin Kirkland

14,608

This is a good solution for a multi-user computer where the administrator needs to do work and prevent all the other users from shutdown for a while. – Alexis Wilke Jan 04 '13 at 05:51
1

Works from console, but even with molly-guard in place (and set to 'always ask') the shutdown proceeds without asking when initiating it from GNOME (3.4). – Jan Oct 13 '14 at 16:22
Yeah, this is not working anymore... Since 13.10, maybe 13.04. – Alexis Wilke Oct 17 '14 at 03:42

score 3 · Answer 3 · edited Feb 24 '17 at 20:00

3

WARNING! The commands listed here are dangerous to use. Do not use these except at your own risk!

chmod -x /usr/sbin/pm-suspend
chmod -x /sbin/reboot
chmod -x /sbin/shutdown

edited Feb 24 '17 at 20:00

Thomas Ward

74,764

answered Jan 08 '12 at 10:03

LanceBaynes

1,055

5

Can you substantiate your answer? I surely don't think he wanted to eliminate the possibilities of rebooting and shutting down. – viyyer Jan 10 '12 at 03:43
How could one re-enable hibernation this way? – Gabriel Fair Feb 05 '12 at 19:49
use "chmod +x" not "chmod -x" – LanceBaynes Feb 06 '12 at 17:58
7

Warning! Don't do this These commands are symlinked to /bin/systemctl and will remove the executable bit from it. This is a critical executable which also controls service SERVICE_NAME [stop|start|restart]. Your system will probably not boot anymore (if you can get it to shutdown at all). – Daniel F Feb 24 '17 at 10:42
I ran these commands on an ubuntu VPS. Shutdown the VPS from the host, shutdown failed. It killed the SSH daemon. Force stopped and started, can SSH in just fine. After restart /bin/systemctl is set to read-write only-rw-r--r-- 1 root root – kryo Jul 13 '17 at 21:22
Sigh. rmrf-ing the whole system would also prevent it from rebooting/hibernating... – Eric Duminil May 27 '21 at 09:06

score 0 · Answer 4 · answered May 15 '19 at 12:58

Building on OP's answer, you can do

for file in $(/sbin/shutdown /sbin/reboot /usr/sbin/pm-suspend); do
    mv $file $file.bak && touch $file
done

This renames the symlinks and replaces them with blank files. This will prevent command-line shutdown, I don't know if the GUI commands call it or do their own thing so you might have to do the accepted answer as well.

How to disable shutdown/reboot/suspend/hibernate?

4 Answers4

Linked

Related