Non-Root Ubuntu Shutdown
It may at first seem rather daft that you must become root before you can shutdown you PC, but it does make sense. Linux is designed as a multi-user system, just think of any web site you’ve ever visited. Many different people can be accessing the same site at the same time and that’s to say nothing for the other people hosting their site on the same machine. Could you imagine the chaos that would result if any one of those users were able to turn that machine off at will? You may still be thinking “ye, but they could pull the power” but, they couldn’t, the users I am referring to have no physical access to the machines in question so securing the shutdown commands in this way is still highly effective.
In my research I have come across a couple of different methods to achieving the goal of non-root shutdown. The /etc/shutdown.allow file is a common option, however it fails the ‘usability’ test for me as it requires a number of other steps and relies on keyboard shortcuts to be correctly configured and not intercepted by other process. Because of that I have decided to go with the sudo method as my recommended choice.
The SUDO Method
In-order for user of the ‘shutdown’ group to turn off the machine we must create the group ‘shutdown’. So run this command, prefixing it with
sudo to make sure it is run as root
[~]$ sudo groupadd shutdown
Next we need to start adding people to our new
shutdown group. This command will do the job, just replace username with your username.
[~]$ sudo useradd -G shutdown username
[~]$ sudo usermod -a -G shutdown shutdown username
Anyone you add to this group will be able to shutdown your computer, even when they’re not sitting at it so be selective in your choices. The next thing we need to do is give the
shutdown group permission to invoke the command for shutting down or rebooting. In Linux these command are
/sbin/halt so now run the
visudo command and add the following lines.
[~]$ sudo visudo %shutdown ALL=(root) NOPASSWD: /sbin/shutdown %shutdown ALL=(root) NOPASSWD: /sbin/reboot %shutdown ALL=(root) NOPASSWD: /sbin/halt
That’s you done. Now anyone in the
shutdown group can now run
sudo shutdown as if they were root and shutdown the computer.
The Next Step?
At this point you may have notice that users still have to prefix the shutdown command with sudo. I personally like this as it reduced the risk of typo etc.. but I know for some (or most) its still a pain, so we can remove it.
What we need to do is create a script in
/usr/local/bin/shutdown which prepends the sudo command for us.
[~]$ sudo nano -w /usr/local/bin/shutdown #!/bin/bash sudo /sbin/shutdown $*
Now just make the script executable and, for a little extra protection, change its ownership to out new shutdown group
[~]$ sudo chgrp shutdown /usr/local/bin/shutdown [~]$ sudo chmod 750 /usr/local/bin/shutdown