How to disable shutdown/reboot/suspend/hibernate?
User access to these actions are controlled by polkit. In particular, they correspond to the following actions:
org.freedesktop.consolekit.system.stoporg.freedesktop.consolekit.system.restartorg.freedesktop.upower.suspendorg.freedesktop.upower.hibernate
All of these actions are allowed by default for active local users (although consolekit further restricts the first two permissions to only work when there is a single user logged into the system).
If you want to disable these actions create a file /etc/polkit-1/50-local.d/disable-shutdown.pkla containing something like:
[Disable shutdown/whatever]
Identity=unix-user:*
Action=org.freedesktop.consolekit.system.stop;org.freedesktop.consolekit.system.restart;org.freedesktop.upower.suspend;org.freedesktop.upower.hibernate
ResultAny=no
ResultInactive=no
ResultActive=no
This should prevent those actions from completing. More information on these policy files can be found by running man pklocalauthority.
If you are trying to restrict root though, this will only be a minor inconvenience. By definition, root is an unrestricted account according to the traditional UNIX discretionary access control system. If you can't trust users you've given full root access to, then you've got bigger problems than them just shutting down the system.
Note that in later Ubuntu versions somebody decided to break compatibility. As answered in How to disable shutdown/reboot from lightdm in 14.04? the action seems to have changed to "org.freedesktop.login1.reboot" (and the-like).
For example in 14.04 adding the following lines as /etc/polkit-1/localauthority/50-local.d/restrict-login-powermgmt.pkla works:
[Disable lightdm PowerMgmt]
Identity=unix-user:*
Action=org.freedesktop.login1.reboot;org.freedesktop.login1.reboot-multiple-sessions;org.freedesktop.login1.power-off;org.freedesktop.login1.power-off-multiple-sessions;org.freedesktop.login1.suspend;org.freedesktop.login1.suspend-multiple-sessions;org.freedesktop.login1.hibernate;org.freedesktop.login1.hibernate-multiple-sessions
ResultAny=no
ResultInactive=no
ResultActive=no
In addition note that this method block solely reboot/etc commands issued from GUI. To block reboot/etc commands from command line one may use molly-guard - as explained in Disabling shutdown command for all users, even root - consequences?
Consider installing molly-guard.
sudo apt-get install molly-guard
This package will prevent unintended shutdown/reboot/suspend/hibernate by interactively prompting you to enter the hostname of the system.
However, it's trivial to configure molly-guard to completely disable shutdown/reboot/suspend/hibernate. Simply create an executable file at /etc/molly-guard/run.d/99-prevent-all that has this in it:
#!/bin/sh
exit 1
Note it protects only against commands issued from command line, shutdown/reboot/suspend/hibernate issued from GUI is bypassing it. To block also GUI using reboot one may use polkit rules.
WARNING! The commands listed here are dangerous to use. Do not use these except at your own risk!
chmod -x /usr/sbin/pm-suspend
chmod -x /sbin/reboot
chmod -x /sbin/shutdown