[rhelv6-list] how to remove 'shot down' from system menu?

Feldt, Andrew N. afeldt at ou.edu
Wed Oct 5 14:09:02 UTC 2011 

Alois,

I do this (in spite of the concerns given by the previous
posters - users are far less likely to push the physical
button, especially if it is on the other side of a panel
and if word gets around that the system manager greatly
frowns on this).  However, my policy kit files are slightly
different from the ones posted at the link that was given.

I create a separate policy kit file for each action and
have (all in /etc/polkit-1/localauthority/50-local.d):

stop.pkla containing

[Normal User Stop Permissions]
Identity=unix-user:*
Action=org.freedesktop.consolekit.system.stop
ResultAny=no
ResultInactive=no
ResultActive=auth_admin

an identical file called restart.pkla which is the
same as the above except that [Ss]top is replaced
with [Rr]estart everywhere.

And, to be complete, I have the power related
files hibernate.pkla and suspend.pkla with:

[Normal User Suspend Permissions]
Identity=unix-user:*
Action=org.freedesktop.devicekit.power.suspend
ResultAny=no
ResultInactive=no
ResultActive=auth_admin

with [Ss]uspend replace by [Hh]ibernate in its
file.

The 'ResultActive=auth_admin' means that any attempt
to use buttons to power off or restart the system
result in a prompt requiring authentication.  This
also helps to reinforce the idea that normal users
are not supposed to shutdown or restart systems.

This has been very successful in a lab full of machines
which are also used in a Condor pool and for remote
login access.  (Remote users get quite grumpy if someone
suddenly shuts down the system they have been editing a
file on for several hours ;-)

The 'pkaction' command is quite useful in finding out
what policies exist and how they are set so that you
can change them in this fashion.

Andy

On Oct 5, 2011, at 8:10 AM, Prentice Bisbal wrote:

> Alois,
> 
> If users have physical access to the systems and can hit the power
> button or unplug the system, I strongly recommend that you leave the
> shutdown option on the start menu. If a user is determined to
> shutdown/reboot a computer, I would much rather they shut it down
> gracefully by using the shutdown command than doing it harshly buy
> holding the power button or unplugging the system, which can lead to a
> host of other problems.
> 
> --
> Prentice
> 
> 
> On 10/05/2011 08:49 AM, Horst Severini wrote:
>> Hi Alois,
>> 
>> I'm not sure there is a way to remove that, and I'm not sure it makes too 
>> much sense to look too hard for it, either, since when someone is sitting 
>> right in front of a computer, they can (a) shut it down from the login screen,
>> or (b) press the power button or (c) unplug the power cord, so in my mind
>> it doesn't much matter if you eliminate one way to shut it down when 
>> there are several other you can't eliminate.
>> 
>> Just my 2c,
>> 
>> 	Horst
>> 
>> Alois Treindl <alois at astro.ch> wrote:
>> 
>>> I have recently installed RHEL6 with GNOME desktop.
>>> 
>>> In each user's menu appeasr under the entry 'System' also to item 'Shut 
>>> down'
>>> 
>>> I would like to remove this item for all users except root.
>>> In fact normal users can use this link to shut down the system, they are 
>>> not asked for root password. I do not know how this can happen?
>>> Where can I at least configure that they are asked the root password for 
>>> shutdown?
>>> 
> 
> _______________________________________________
> rhelv6-list mailing list
> rhelv6-list at redhat.com
> https://www.redhat.com/mailman/listinfo/rhelv6-list

More information about the rhelv6-list mailing list