On Mon, 2025-09-08 at 23:51 +0200, Franta Hanzlík via users wrote:
> In the end, it turned out that disabling shutdown/restart/... using
> polkit is not that complicated, and it also has another (wanted) effect
> - the "Shut Down" button in the System menu will not be displayed at
> all to users who are not members of the specified group (in this case,
> the "powerenik" group). The entire javascript .rules file:
>
> // /etc/polkit-1/rules.d/10-disable-reboot-shutdown.rules - disable
> shutdown/restart/suspend/hibernate System menu
> // with this policy rule, the SHUT DOWN button will no longer be displayed.
> Tested on mate-desktop-1.28/Fedora 42 MATE
> // *-multiple-sessions : allows the action even when other users are
> currently logged in
> polkit.addRule(function(action, subject) {
> if (action.id == "org.freedesktop.login1.reboot" ||
> action.id == "org.freedesktop.login1.reboot-multiple-sessions" ||
> action.id == "org.freedesktop.login1.power-off" ||
> action.id == "org.freedesktop.login1.power-off-multiple-sessions" ||
> action.id == "org.freedesktop.login1.suspend" ||
> action.id == "org.freedesktop.login1.suspend-multiple-sessions" ||
> action.id == "org.freedesktop.login1.hibernate" ||
> action.id == "org.freedesktop.login1.hibernate-multiple-sessions") {
> if (subject.isInGroup("powerenik")) {
> return polkit.Result.YES;
> } else {
> // return polkit.Result.AUTH_ADMIN; // possible alternative
> return polkit.Result.NO;
> }
> }
> });
Glad to have helped (a bit). I didn't want to try and say do it with
this [insert non-existent example] script that I didn't have the
opportunity to test for myself at the time. But was confident polkit
could do it without too much trauma. I haven't needed to foolproof a
system for many years.
If you have any other desktop environments (KDE, Gnome, LXDE, etc)
installed, check whether users can login with one of them and still be
restricted.
It's worth mentioning that if you do lockout certain users from doing
shutdowns or reboots, you also want some emergency failsafe. Either an
extra code they're allowed to use, or make sure they have the contact
details for someone who can login and un-munge a system for them.
--
uname -rsvp
Linux 3.10.0-1160.119.1.el7.x86_64 #1 SMP Tue Jun 4 14:43:51 UTC 2024 x86_64
(yes, this is the output from uname for this PC when I posted)
Boilerplate: All unexpected mail to my mailbox is automatically deleted.
I will only get to see the messages that are posted to the mailing list.
--
_______________________________________________
users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
