Greetings, we have a Kubuntu Linux machine which I have set up so several people here can test a Linux system to see if they would like to use Linux for their daily work.

This is working out fine except for the issue that each user is able to shut down the machine at the end of their testing. They aren’t logging off but shutting down the machine.

I find this not to be acceptable but I don’t know of any way to stop this from happening. I would like to restrict these users for being able to shut down the system but I haven’t figured out a resolutions after trying a number of things, nothing works.

Is there a way to define a general user from only logging off and not being able to shut down the system. We are only using one physical terminal for the Linux system at this time. My user id is should be the only super user being able to shut things down.

Any help with this issue is appreciated. Thanks

Have you tried talking to the humans involved? i.e. say "please do not shutdown when you are finished, just logout" when you introduce them to the machine.

You can easily prevent accidental shutdowns by removing the icon from the Application menu (right-click>remove from favourites), and Settings>Workspace>Startup and Shutdown has a checkbox for "Offer shutdown options" which you can deselect.

If there's any other methods, then just login with another user and leave that session in the background - I presume Plasma will prompt in some way if a shutdown is attempted whilst someone else is logged in.

1 members found this post helpful.

This is actually the standard behaviour. Users are by default NOT allowed to shut down the machine. This behaviour has been changed in most distroes though, to allow users to shutdown and reboot. From what I remember, KDE and SSDM adapts to this access, and removes the shutdown and reboot buttons if the user does not have those rights, so it will also look right, not just act right.

However, I can't say that I know how this behaviour is regulated in Kubuntu. It adds Sudo into the mix, but normally this kind of setting should be found in /etc.. Maybe in kubuntu it's in /etc/shutdown.allow. But you should probably also look around in /etc/sudo*

So, just to sum up. You're NOT looking for a way to restrict users. You are looking for a way to reset the behaviour to the standard (only root can reboot/shutdown). This access has been granted to users, and /etc should reflect that somewhere. You might also want to look into /etc/groups and a command "systemctl". In many distroes systemd controls shutdown and reboot and /sbin/shutdown points to /bin/systemctl..

I sadly can't tell you how to change it with systemd, because it tends to make easy things very complicated, and finding out very difficult.

How are they shutting it down? Via the command line (shutdown -h or halt)? Or by having physical access (using the so-called "Big Red Switch")?

You can prevent them from using the former, the latter is more difficult.

When their accounts are setup, you should be able to remove their rights to the shutdown command. If they're just trying out Linux, at the very least I'd remove any access to root functions through the use of sudo.

HTH...

Thanks all for your replies. The Sudoers file is a nightmare for a newbi. Can anyone point me to a good example of how to arlter this file preventing various from using certain commands such as shutdown, sleep etc.? I know I have to use a different version of the vi command while editing this file in order not to do something nasty to it. Thanks

This is what happens when I change the shutdown policy for users in a GNU/Linux distro with systemd:

Doing this means root can also not use "shutdown" or "reboot" etc. Which means if you want to shut down the computer with root, you could need to use "systemctl shutdown" instead.

If I change it back, it puts back the symbolic links and moves /etc/shutdown.allow to another irrelevant file (backup).
/etc/inittab may or may not contain a line like this "ca::ctrlaltdel:/sbin/shutdown -t3 -r now". If you remove this line, you cannot shutdown by pressing ctrl+alt+delete either.

So, if you have an idea what is going on here, and you can VERIFY that those files mentioned above are symbolic links, you could probably solve this situation by deleting those symbolic links and creating an empty file /etc/shutdown.allow.

Or you could just delete those files in any case and hope for the best

1 members found this post helpful.

1 members found this post helpful.

Or try a simple method an SSH banner:

https://www.tecmint.com/protect-ssh-...nner-messages/

Just say, Hey Human.Don't shutdown this machine.

What? Are you sure you tried all the suggestions in post #2 before digging that deep?

I think that "JJJCR's" solution is probably the most practical: just add a login-banner which tells them ... "Please just log off when you're done – please don't shut down the machine. Thanks."

Hey – when I'm finished using my personal computer each night, I routinely "shut down the machine." It's just what I do and have always done, and I think nothing about it. "Oh ... you don't want me to do that? Okay. Sure. No problem."

This is a Debian-based distro. It should have molly-guard in the repository. I guess it would be a tad more effective than just a login banner. To work for non-SSH sessions, you'll have to configure it via /etc/molly-guard/rc though.

Greetings,
First thank you again for your replies, very informative. I was just wondering if couldn't one use 'acls' to stop access to the questioned commands and if so how? Seems that also might work instead of using Sudoers.

No, because they are not real commands in a systemd, they are systemd slaves. Back in the days, you could just remove a user from the shutdown group, easy peacy. If there is a solution to this that is not deleting those symlinks, then it is a systemd internal function. And like most things with systemd it just complicate simple things, and there is a lack of documentation floating around the web.

The real commands are "sysctemctl poweroff" and such things. Ofcourse they could also not even keep the name.

The question originally asked is not a question of deep system commands, but a question of configuring certain elements of the desktop so that there's no shutdown option, only logout.
This Should(tm) be possible to achieve from within the desktop environment.
I do not use KDE, but it is known for its configurability.
Once again, I think boughtonp had the best answer in post #2.
This search seems to have answers, too.

It is, but it is a desktop and not responsible for system functions. There are tweaks you can do to make the scenario less likely, but ultimately the KDE logout/shutdown is adapted to what the system allows.
I've given a solution that works, and it doesn't rely on human nature. There is and should be no need to tell anyone anything about not doing this and that, it's fully possible to turn off! If those functions are not allowed on a system level (user shutdown/reboot/etc), then they are also not shown in KDE logout/shutdown options.

Perhaps the system administrator is inexperienced, but at the very least, he should be able to create a folder /root/backup, and move those 4 "files" mention into that folder (he can even include it in his path). That way he can just move them back in case he is insecure. It is not really that dangerous, and the skill level required is not so high. There, I even gave him an easier way to do it.