Re: Prevent shutdown with systemctl

[Gary Dale <garydale@torfree.net>]

On 04/01/16 03:19 PM, Stuart Longland wrote:
> On 05/01/16 03:14, tomas@tuxteam.de wrote:
> > On Mon, Jan 04, 2016 at 12:16:03PM -0500, Gary Dale wrote:
> > > On 04/01/16 10:55 AM, Floris wrote:
> > > > Dear list,
> > > >
> > > > Often there are multiple users working on my multiseat [1] system,
> > > > some of them are kids and they are not paying attention if someone
> > > > else is logged in. They can shutdown the computer even if someone
> > > > else is logged in and have an active session.
> > > >
> > > > Is it possible that only root can shutdown/ reboot the computer if
> > > > multiple users are logged in and when there is only one user that
> > > > user is able to shutdown the computer?
> > > >
> > > > Thanks,
> > > >
> > > > Floris
> > > >
> > > > [1] https://en.wikipedia.org/wiki/Multiseat_configuration
> > > /sbin/reboot is a link that allows anyone to execute it. It points
> > > to /bin/systemctl that also allows anyone to execute it. The first
> > > part of your problem can be solved simply with fixing the
> > > permissions for reboot, shutdown & poweroff.
> > Dunno about systemctl, but FWIW you can't change the permissions of
> > a symlink. It's always "all on".
> Changing the permissions of the "linked-to" file would be sufficient then.
Possibly but I note that systemctl is owned by root:root so that typical 
users can't execute it anyway. They get execute rights from the links. 
Systemctl seems to figure out what to do based on the link that calls it 
and the current system policy.

Replacing the symlinks with hardlinks might work providing that /bin and 
/sbin are on the same devices, which they usually are.