Similar questions have been asked about this here but I tried them to no avail. I suspect what used to work in the past have not been working in the latest versions of Ubuntu. I am using Ubuntu Xenial 16.04.
I have tried the following:
1.
pico /etc/polkit-1/50-local.d/disable-shutdown.pkla
Then fill the file with:
[Disable shutdown/restart etc. for users]
Identity=unix-user:a;unix-group:b;
Action=org.freedesktop.login1.reboot;org.freedesktop.login1.reboot-multiple-sessions;org.freedesktop.login1.power-off;org.freedesktop.login1.power-off-multiple-sessions;org.freedesktop.consolekit.system.stop;org.freedesktop.consolekit.system.restart;org.freedesktop.upower.suspend;org.freedesktop.upower.hibernate;org.freedesktop.login1.suspend;org.freedesktop.login1.suspend-multiple-sessions;org.freedesktop.login1.hibernate;org.freedesktop.login1.hibernate;org.freedesktop.login1.hibernate-multiple-sessions
ResultAny=no
ResultInactive=no
ResultActive=no
2.
chmod o-x /sbin/shutdown
chmod o-x /sbin/reboot
These methods didn't work for me. I could still reboot the server with a non-root account after entering the password:
sudo reboot
EDIT: With xxx's account:
sudo -l
gives
Matching Defaults entries for xxx on scw-415fa7:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:
/usr/bin\:/sbin\:/bin\:/snap/bin
User xxx may run the following commands on scw-415fa7:
(ALL : ALL) ALL
.
sudo grep xxx /etc/sudoers* -R
gives
/etc/sudoers:xxx ALL=(ALL:ALL) ALL
