HowTo: Prevent Non-Root From Rebooting/Shutting Down The System

Have you experienced a scenario where your users make use of reboot or halt command? Did somebody user just reboot your own server? Do you want to prevent your users from shutting down your linux box or even rebooting it?

Here's a quick entry on how to prevent users from rebooting or shutting down your fedora linux box.

Prevent Non-Root From Using Reboot/Shutdown Commands

In order to avoid non-scheduled downtime of your linux box via reboot/halt/shutdown command usage by non-root users, carefully follow the below three steps

1. Edit /etc/inittab file, find the below line that says

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ca::ctrlaltdel:/sbin/shutdown -t3 -r now
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

and edit the line to look like

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ca::ctrlaltdel:ech0 Reboot/Shutdown is not possible at this time.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

2. Additionally, you can delete,rename, or move the files reboot, poweroff, and halt binary files from /etc/security/console.apps/ directory folder to another binary file names or to a different folder location.

3. Additionally, you can also remove, rename, or change file permissions to these files
/usr/bin/poweroff
/sbin/shutdown
/usr/bin/halt
/usr/bin/reboot

You can also apply these changes to folders where these binary resides, but be careful as some needed binaries are not suid-enabled and cannot be executed specially during boot time that might cause a problem to your setup. Alternatively, the renamed or moved binaries, or aliases can also be set to be immutable at your own discretion.

Take note that when renaming or moving binary files, make sure you remember their new names or command aliases. There are other patch up scenario to avoid users from executing them, but most likely the approach could be the same.

The above scenario are taken without any consideration to selinux settings, sudoers file or jailed ssh user environment or any X-based applications calling those mentioned root binaries.

Goodluck.