Hide Poweroff Menu or Request Password for Shutdown / Restart Ubuntu

Want to protect from accidentally invoking power-off commands, or prevent multi-user or public use computers from being shutdown or restart by non-admin users? This tutorial may help by either hiding the power-off menu or adding password request.

Hide Power-off Menu (for GNOME only)

For Ubuntu and other Linux with GNOME desktop, there’s an extension can do the job by hiding action buttons from top-right system menu (aka Quick Settings).

First, search & install “Extension Manager” (filtered by Debian package) from App Center (or Ubuntu Software for 22.04 and earlier).

Then, launch the tool and navigate to Browse tab. Finally, search and click install Bring Out Submenu Of Power Off Button extension. It so far supports GNOME from v3.36 to 48.

As the name says, the extension is designed to bring out power-off sub-menu options, which also has toggle options to hide actions that you don’t want.

Also in Extension Manager, switch back to Installed tab, and click on gear icon for the newly installed extension. In the pop-up preferences dialog, turn on the options to hide what you want!

For other Linux with GNOME, go to this page and turn on the toggle after installed the browser extension (if it prompts to).

Enable Password Request for Power-off / Reboot Actions

For most Linux, there’s built-in polkit (formerly PolicyKit) tool available to control system-wide privileges. By adding polkit rules, you can control permissions for many system actions.

NOTE: for Ubuntu 22.04 and earlier, scroll down and use the old method!

1. First, press Ctrl+Alt+T on keyboard to open terminal. When it opens, run command to add a custom polkit configuration file then edit via nano:

sudo nano /etc/polkit-1/rules.d/10-power-off.rules

Here I use nano command line text editor that works in most Linux.

2. When it opens, copy and paste the lines below:

polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.login1.power-off" ||
        action.id == "org.freedesktop.login1.power-off-ignore-inhibit" ||
        action.id == "org.freedesktop.login1.power-off-multiple-sessions")
    {
        return polkit.Result.AUTH_ADMIN;
    }
});

The lines above added a rule when any user trying to do any one of the following actions (“||” means OR):

org.freedesktop.login1.power-off – power off.
org.freedesktop.login1.power-off-ignore-inhibit – power off when an app is inhibiting this action.
org.freedesktop.login1.power-off-multiple-sessions – power off when other users are logged in.

Return AUTH_ADMIN meaning authenticate with admin user password. For choice, you may replace it with:

NO – refuse to do the actions, though user may run the actions by using sudo command in terminal.
AUTH_SELF – authenticate with the password of user who trying to do the action.

3. The rules above only work for power-off actions in different scenarios.

For reboot actions, add following IDs in the files above:

org.freedesktop.login1.reboot
org.freedesktop.login1.reboot-multiple-sessions
org.freedesktop.login1.reboot-ignore-inhibit
org.freedesktop.login1.set-reboot-parameter
org.freedesktop.login1.set-reboot-to-firmware-setup
org.freedesktop.login1.set-reboot-to-boot-loader-menu
org.freedesktop.login1.set-reboot-to-boot-loader-entry

So the file content will be:

polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.login1.power-off" ||
        action.id == "org.freedesktop.login1.power-off-ignore-inhibit" ||
        action.id == "org.freedesktop.login1.power-off-multiple-sessions" ||
        action.id == "org.freedesktop.login1.reboot" ||
        action.id == "org.freedesktop.login1.reboot-multiple-sessions" ||
        action.id == "org.freedesktop.login1.reboot-ignore-inhibit" ||
        action.id == "org.freedesktop.login1.set-reboot-parameter" ||
        action.id == "org.freedesktop.login1.set-reboot-to-firmware-setup" ||
        action.id == "org.freedesktop.login1.set-reboot-to-boot-loader-menu" ||
        action.id == "org.freedesktop.login1.set-reboot-to-boot-loader-entry")
    {
        return polkit.Result.AUTH_ADMIN;
    }
});

NOTE: Here you need to add all the 7 action IDs, or this polkit rule for reboot will NOT work!!!

According to the org.freedesktop.login1.policy file under /usr/share/polkit-1/actions and this document, if any of the meta-action is authorized, then the reboot action is also authorized.

4. If you want to also request password when trying to suspend computer, then adding following IDs:

org.freedesktop.login1.suspend
org.freedesktop.login1.suspend-ignore-inhibit
org.freedesktop.login1.suspend-multiple-sessions

So the file content will be:

polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.login1.power-off" ||
        action.id == "org.freedesktop.login1.power-off-ignore-inhibit" ||
        action.id == "org.freedesktop.login1.power-off-multiple-sessions" ||
        action.id == "org.freedesktop.login1.reboot" ||
        action.id == "org.freedesktop.login1.reboot-multiple-sessions" ||
        action.id == "org.freedesktop.login1.reboot-ignore-inhibit" ||
        action.id == "org.freedesktop.login1.set-reboot-parameter" ||
        action.id == "org.freedesktop.login1.set-reboot-to-firmware-setup" ||
        action.id == "org.freedesktop.login1.set-reboot-to-boot-loader-menu" ||
        action.id == "org.freedesktop.login1.set-reboot-to-boot-loader-entry" ||
        action.id == "org.freedesktop.login1.suspend" ||
        action.id == "org.freedesktop.login1.suspend-ignore-inhibit" ||
        action.id == "org.freedesktop.login1.suspend-multiple-sessions")
    {
        return polkit.Result.AUTH_ADMIN;
    }
});

5. For choice, you can set the rules for certain users only (replace xxx.xxx.xxx.xxx accordingly):

polkit.addRule(function(action, subject) {
    if ((action.id == "xxx.xxx.xxx.xxx" ||
        action.id == "xxx.xxx.xxx.xxx" ||
        ...
        ...
        action.id == "xxx.xxx.xxx.xxx") &&
        && subject.isInGroup("ji"))
    {
        return polkit.Result.AUTH_ADMIN;
    }
});

Here it means when user ji or user in group ji is trying to do any of the actions, then authenticate with admin password.

When done editing the file, press Ctrl+S to save, and Ctrl+X to exit! And, the change should apply immediately!

NOTE: The steps above work for Ubuntu 24.04 and higher with recent polikit library. For old Ubuntu 22.04 and 20.04, try the steps below instead.

First, run command to create a rule and edit it:

sudo nano -l /etc/polkit-1/localauthority/50-local.d/com.ubuntu.enable-hibernate.pkla

When file opens, add the following lines, to request password for shutdown and reboot action:

[Request Password when power-off]
Identity=unix-user:*
Action=org.freedesktop.login1.power-off;org.freedesktop.login1.power-off-ignore-inhibit;org.freedesktop.login1.power-off-multiple-sessions;org.freedesktop.login1.reboot;org.freedesktop.login1.reboot-multiple-sessions;org.freedesktop.login1.reboot-ignore-inhibit;org.freedesktop.login1.set-reboot-parameter;org.freedesktop.login1.set-reboot-to-firmware-setup;org.freedesktop.login1.set-reboot-to-boot-loader-menu;org.freedesktop.login1.set-reboot-to-boot-loader-entry;org.freedesktop.login1.suspend;org.freedesktop.login1.suspend-ignore-inhibit;org.freedesktop.login1.suspend-multiple-sessions
ResultActive=auth_admin

Here, I added all the action scenarios in single “Action” line. Press Alt+S to break the long line. And, use Ctrl+S to save, Ctrl+X to exit.