Grant user to reboot

Is there a way to allow a non root user to reboot the system? We try to reboot from our program with C++:

#include <sys/reboot.h>
reboot(RB_AUTOBOOT);

Works with root as running user, but not with a custom created user. Also, we cannot reboot from the command line with our custom created user ("-sh: reboot: command not found"), but the command definitely exists and works as expected, when called by root.

We already tried adding our user to the groups “shutdown” and “wheel”.

Any ideas? I’m pretty sure, I just missed some rights…

Hi

According to the man page you must be the superuser for the libc call to reboot to succed.

The reboot commandline tool is on our image stored in /sbin/reboot and thus likely not in the path of your user. Maybe there are other hurdles

On our systemd based image reboot is a symlink to the sytemctl binary from systemd which is provides the power services on a systemd system.

Max

Thank you for your fast response!

I definitely should lern to read in greater detail - I was already on the man page, must have overlooked it…

Traditionally rebooting required super user, however, nowadays the kernel can split privileges much more fine grained through capabilities(7). Capabilities are per process, your process needs CAP_SYS_BOOT to do a reboot syscall.

Now how to get to this capability is a bit more involved, I think traditionally you need to execute the process via root to have all capabilities and than drop the capabilities you don’t need. Luckily systemd has built in capabilities support. If you start your process using systemd you can use CapabilityBoundingSet to give your process the CAP_SYS_BOOT capability (see systemd.exec help page).