Disable Power Options of Linux Server Apr 11th 2020 Words: 882
This post is created 2 years ago, the content may be outdated.

Background

In my case an unattended Linux server is running some service at my office. I want to disable the shutdown function to prevent accidental operation, since the only way to turn the machine back on is to drive to the office and push the power button.

Disable command

To prevent dangerous command be executed by some sudoer:

sudo visudo

1
2
3
4
5
6
7
8
9
10
11
# Cmnd alias specification
Cmnd_Alias      DISABLED = /sbin/shutdown,/sbin/halt,/sbin/poweroff

# User privilege specification
root    ALL=(ALL:ALL) ALL, !DISABLED

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL, !DISABLED

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL, !DISABLED

Disable button in session panel

Here’s the doc for Polkit actions

For each of these settings the following options are available:

no: The user is not authorized to carry out the action. There is therefore no need for authentication.
yes: The user is authorized to carry out the action without any authentication.
auth_self__: Authentication is required but the user need not be an administrative user.
__auth_admin: Authentication as an administrative user is required.
auth_self_keep: The same as auth_self but, like sudo, the authorization lasts a few minutes.
auth_admin_keep: The same as auth_admin but, like sudo, the authorization lasts a few minutes.

sudo nano /usr/share/polkit-1/actions/org.freedesktop.login1.policy

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
<action id="org.freedesktop.login1.power-off">
                <description gettext-domain="systemd">Power off the system</description>
                <message gettext-domain="systemd">Authentication is required for powering off the system.</message>
                <defaults>
                        <allow_any>no</allow_any>
                        <allow_inactive>no</allow_inactive>
                        <allow_active>no</allow_active>
                </defaults>
                <annotate key="org.freedesktop.policykit.imply">org.freedesktop.login1.set-wall-message</annotate>
        </action>

        <action id="org.freedesktop.login1.power-off-multiple-sessions">
                <description gettext-domain="systemd">Power off the system while other users are logged in</description>
                <message gettext-domain="systemd">Authentication is required for powering off the system while other users are logged in.</message>
                <defaults>
                        <allow_any>no</allow_any>
                        <allow_inactive>no</allow_inactive>
                        <allow_active>no</allow_active>
                </defaults>
                <annotate key="org.freedesktop.policykit.imply">org.freedesktop.login1.power-off</annotate>
        </action>
    
        <action id="org.freedesktop.login1.suspend">
                <description gettext-domain="systemd">Suspend the system</description>
                <message gettext-domain="systemd">Authentication is required for suspending the system.</message>
                <defaults>
                        <allow_any>no</allow_any>
                        <allow_inactive>no</allow_inactive>
                        <allow_active>no</allow_active>
                </defaults>
        </action>
    
        <action id="org.freedesktop.login1.suspend-multiple-sessions">
                <description gettext-domain="systemd">Suspend the system while other users are logged in</description>
                <message gettext-domain="systemd">Authentication is required for suspending the system while other users are logged in.</message>
                <defaults>
                        <allow_any>no</allow_any>
                        <allow_inactive>no</allow_inactive>
                        <allow_active>no</allow_active>
                </defaults>
                <annotate key="org.freedesktop.policykit.imply">org.freedesktop.login1.suspend</annotate>
        </action>
    
        <action id="org.freedesktop.login1.hibernate">
                <description gettext-domain="systemd">Hibernate the system</description>
                <message gettext-domain="systemd">Authentication is required for hibernating the system.</message>
                <defaults>
                        <allow_any>no</allow_any>
                        <allow_inactive>no</allow_inactive>
                        <allow_active>no</allow_active>
                </defaults>
        </action>
    
        <action id="org.freedesktop.login1.hibernate-multiple-sessions">
                <description gettext-domain="systemd">Hibernate the system while other users are logged in</description>
                <message gettext-domain="systemd">Authentication is required for hibernating the system while other users are logged in.</message>
                <defaults>
                        <allow_any>no</allow_any>
                        <allow_inactive>no</allow_inactive>
                        <allow_active>no</allow_active>
                </defaults>
                <annotate key="org.freedesktop.policykit.imply">org.freedesktop.login1.hibernate</annotate>
        </action>

I’m using xfce so I also modified this file:

sudo nano /usr/share/polkit-1/actions/org.xfce.power.policy

1
2
3
4
5
6
7
8
9
10
<action id="org.xfce.power.xfce4-pm-helper">
    <description>Suspend or hibernate the system</description>
    <message>Authentication is required to place the system in suspend or hibernate mode</message>
    <defaults>
      <allow_any>no</allow_any>
      <allow_inactive>no</allow_inactive>
      <allow_active>no</allow_active>
    </defaults>
    <annotate key="org.freedesktop.policykit.exec.path">/usr/sbin/xfce4-pm-helper</annotate>
  </action>