preventing users from halt/shutdown

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Greetings -

RHEL 4 box - multiple users. I'd like to limit the shutdown option to
root only (I suppose for obvious reasons). I need to be able to limit
this both from the gdm, and the command line (if the user ssh's into
the machine).

What I though about doing (based on some stuff I gleaned from the web)

   1. In the file /etc/X11/gdm/gdm.conf , changing the line that




This should, in theory, prevent some options appearing in the gdm.

   2. In the file /etc/inittab, change the line that reads :

          ca:ctrlaltdel:/sbin/shutdown -t3 -r now


          ca:ctrlaltdel:echo "You are not authorized to turn off the

OK - for all, or some users?

   3. In the directory /etc/security/console.apps/, delete the file
reboot, poweroff and halt.

Not sure what this does...

   4. Remove the file /usr/bin/poweroff

Can anyone comment on the above, and suggest pros/cons/alternatives?

Again, I need to limit access to shutdown both for folks logging in
physically at the machine, and remotely via ssh login.


Re: preventing users from halt/shutdown writes:

Quoted text here. Click to load it

?? Users cannot run halt, reboot or shutdown now I would assume.
chmod o-x /sbin/

On Mandriva there are also programs with these names in /usr/bin and
 are all links to consolehelper, which allows you to
control who can run them via pam, and other things..

Quoted text here. Click to load it

While this may be a problem it is ONLY one for people sitting at the
console. They cannot alt-ctrl-del remotely. Or you could have it run a
little script which checks to see if root is logged on before shutting

Quoted text here. Click to load it

I have no idea how remote people could run it anyway.

Quoted text here. Click to load it

Re: preventing users from halt/shutdown wrote:
Quoted text here. Click to load it

You've stated two different sets of requirements. Which is correct?

Re: preventing users from halt/shutdown

Chris Davies wrote:
Quoted text here. Click to load it

How do you intend on preventing a local user from physically "pulling
the plug" anyway?

Disconnecting power/reset buttons, wouldn't even prevent that scenario.


Re: preventing users from halt/shutdown

Quoted text here. Click to load it

Reminds me:  Back in the mid-1990s, I helped build a Linux-based
Internet cafe in San Francisco, "The CoffeeNet", which operated for some
years before being the victim of real estate intrigues.  Users
performing unpleasant (or merely damn-fool) tricks on the workstations
was a significant concern.  Therefore, at first, we had the "ca" line in
/etc/inittab mapped to some no-op command, rather than to shutdown.

However, we discovered that a certain number of people are just bound
and determined to reset the machine; if you prevent them from doing it
gracefully with Ctrl-Alt-Del, they'll go for the power connector

Especially since this was in the days before journaled filesystems on
Linux, letting them do reboots was very much the lesser evil.  (No,
these workstations did not have to serve multiple simultaneous users,
and they were connected to a NFS/NIS master in a physically protected

Site Timeline