Join Log in
Score:0
Liwinux avatar Ubuntu

always ask for sudo password when rebooting/shutdown the system

es flag
Liwinux

So,

I noticed that on manjaro, if there is only one user, typing reboot without sudo, will just fail and ask for the sudo password, whereas on ubuntu server, typing this doesn't ask for the sudo password and successfully reboot the system. My question is how can I make it so that when I type reboot/shutdown/halt, ubuntu always asks for the sudo password even if there is only one user currently logged in ? May this have to do with polkit ? If so, how can I change this ?

The reason I'm asking this, is that I want to be sure that everyone that could have physical access to my server won't be able to reboot (unless of course by unplugging the power cable which is something different lol)

Thank you

45
0 + 0
Score:2
avatar Ubuntu
in flag
matigo

One of the ways that I've done this is by masking the systemd targets, which prevents certain actions from being performed, regardless of who enters the command. For example, to prevent the system from being shutdown, you can do this:

sudo systemctl mask poweroff.target

Now any attempt to shutdown the system via sudo shutdown or sudo systemctl shutdown will silently fail. The same can be done with halting and reboots:

sudo systemctl mask runlevel0.target
sudo systemctl mask halt.target
sudo systemctl mask runlevel6.target
sudo systemctl mask reboot.target

Note: runlevel6 is equivalent to reboot, and runlevel0 is equivalent to shutdown and halt.

To undo this, these commands can be run again, but with unmask:

sudo systemctl unmask runlevel0.target
sudo systemctl unmask shutdown.target
sudo systemctl unmask halt.target
sudo systemctl unmask runlevel6.target
sudo systemctl unmask reboot.target

With this in mind, now you can write a script that is executable only for people with sudo access:

#!/bin/bash

## Determine the operation to run (mask | unmask)
op=mask

if [[ $1 = unmask ]]
then
        op=unmask
fi

## Set the targets we want to mask
declare -a arr=("runlevel0" "runlevel6" "shutdown" "reboot" "halt")

## Run the commands
for i in "${arr[@]}"
do
        cmd=$( sudo systemctl $op $i.target )
        echo "$i :: $op"
done

WARNING: This code will work, but it's pretty rough. Be sure to sanity check it with a VM or somewhere "safe" before running it on a production box.

Now you can have this script run to mask the targets after booting up, and shutdown/reboot like this:

sudo ~./setTargetMask.sh unmask
sudo shutdown now

Note: Feel free to call the script whatever you'd like.

0 + 0
Liwinux avatar
es flag
Liwinux
That’s definitely one way I couldn’t think of on my own, thank you for this, it’s a lot easier ! One thing I’ve discovered is that with a system naked (that means no desktop environment) the only way to perform maintenance is by using Sudo, whereas a system that has for example xfce installed, will not require any sudo command. I think it’s because xfce ( or whatever DE) has to install the policykit package in order to have the restart/shutdown button working without system privileges but this applies to the whole system. Correct me if I’m wrong !
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.