Re: Prevent shutdown with systemctl

[Gary Dale <garydale@torfree.net>]

On 04/01/16 12:14 PM, tomas@tuxteam.de wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Mon, Jan 04, 2016 at 12:16:03PM -0500, Gary Dale wrote:
> > On 04/01/16 10:55 AM, Floris wrote:
> > > Dear list,
> > >
> > > Often there are multiple users working on my multiseat [1] system,
> > > some of them are kids and they are not paying attention if someone
> > > else is logged in. They can shutdown the computer even if someone
> > > else is logged in and have an active session.
> > >
> > > Is it possible that only root can shutdown/ reboot the computer if
> > > multiple users are logged in and when there is only one user that
> > > user is able to shutdown the computer?
> > >
> > > Thanks,
> > >
> > > Floris
> > >
> > > [1] https://en.wikipedia.org/wiki/Multiseat_configuration
> > /sbin/reboot is a link that allows anyone to execute it. It points
> > to /bin/systemctl that also allows anyone to execute it. The first
> > part of your problem can be solved simply with fixing the
> > permissions for reboot, shutdown & poweroff.
> Dunno about systemctl, but FWIW you can't change the permissions of
> a symlink. It's always "all on".
Interesting. Why do they behave that way? Hard links don't (but 
replacing the symlink with a hardlink would fail if /bin & /sbin were on 
different devices. Also, I gather that systemctl looks at how it is 
called to determine the action it needs to take - would that create a 
problem if called from a hard link instead of a symlink?).