reboot Featured

Tech Scroll 131 — Guarding Against Accidental Reboots

There are moments in technical work where a single command carries more weight than it appears.

AKADATA

4 min read
Tech Scroll 131 — Guarding Against Accidental Reboots
EB1 - holding a REBOOT Warning Sign.

“The prudent see danger and take refuge, but the simple keep going and pay the penalty.” — Proverbs 22:3

A terminal open to the wrong pane. A mouse that shifts focus without warning. A command entered with full intent, however in the wrong place. And suddenly, a remote system disappears.

The cost is not only time. It is disruption, broken state, lost sessions, and sometimes lost trust in the system itself.

This scroll presents a simple, controlled, and effective way to guard against accidental system shutdowns and reboots, without breaking the system, without modifying package-managed binaries, and without introducing unnecessary complexity.

The Problem

On modern Linux systems, commands such as shutdown, reboot, and poweroff are typically thin wrappers around systemctl.

For example:

which shutdown
/usr/bin/shutdown

ls -la /usr/bin/shutdown
lrwxrwxrwx 1 root root 9 Mar 23 13:30 /usr/bin/shutdown -> systemctl

This means that multiple entry points ultimately invoke the same underlying action.

The danger lies here:

  • A command typed in the wrong terminal
  • A focus shift between panes
  • A remote session instead of a local one

And the system is gone.

The Principle

Rather than modifying system binaries, the correct approach is:

  • Leave /usr/bin untouched (package-managed)
  • Override behaviour using /usr/local/bin
  • Intercept only dangerous commands
  • Require explicit confirmation before execution

This preserves system integrity while introducing a deliberate pause before destructive actions.

Why /usr/local/bin

On most Linux systems, the $PATH is ordered such that:

/usr/local/bin
/usr/bin

This means that when a command is executed, the system will search /usr/local/bin first.

So placing a wrapper in /usr/local/bin allows control of behaviour without modifying the original binary.

Verification:

echo "$PATH"
type -a shutdown

Expected output:

shutdown is /usr/local/bin/shutdown
shutdown is /usr/bin/shutdown

Step 1 — Restore System Integrity

If any system binaries were moved, restore them.

sudo ln -sf systemctl /usr/bin/shutdown

This ensures package expectations remain correct.

Step 2 — Create a Guarded shutdown

sudo vim /usr/local/bin/shutdown

#!/bin/sh

printf 'Are you really sure you want to shutdown? Type yes: '
read ans

if [ "$ans" = "yes" ]; then
    exec /usr/bin/systemctl poweroff "$@"
fi

printf 'Shutdown cancelled.\n'
exit 1

Make executable:

sudo chmod 755 /usr/local/bin/shutdown

Step 3 — Create a Guarded reboot

sudo vim /usr/local/bin/reboot

#!/bin/sh

printf 'Are you really sure you want to reboot? Type yes: '
read ans

if [ "$ans" = "yes" ]; then
    exec /usr/bin/systemctl reboot "$@"
fi

printf 'Reboot cancelled.\n'
exit 1

sudo chmod 755 /usr/local/bin/reboot

Step 4 — Create a Guarded poweroff

sudo vim /usr/local/bin/poweroff

#!/bin/sh

printf 'Are you really sure you want to power off? Type yes: '
read ans

if [ "$ans" = "yes" ]; then
    exec /usr/bin/systemctl poweroff "$@"
fi

printf 'Poweroff cancelled.\n'
exit 1

sudo chmod 755 /usr/local/bin/poweroff

Step 5 — Guard systemctl Itself

Even with the above, direct use of systemctl can bypass protection.

So intercept only destructive subcommands.

sudo vim /usr/local/bin/systemctl

#!/bin/sh

cmd="$1"

case "$cmd" in
    reboot|poweroff|halt|kexec|soft-reboot)
        printf 'systemctl %s requested. Type yes to continue: ' "$cmd"
        read ans

        if [ "$ans" = "yes" ]; then
            exec /usr/bin/systemctl "$@"
        fi

        printf 'Cancelled.\n'
        exit 1
        ;;
    *)
        exec /usr/bin/systemctl "$@"
        ;;
esac

sudo chmod 755 /usr/local/bin/systemctl

Step 6 — Reload Shell Command Cache

hash -r

Verification

type -a shutdown
type -a systemctl

Test:

shutdown
reboot
systemctl reboot

Expected behaviour:

  • Prompt appears
  • No action taken unless explicitly confirmed

How this matters when uptime is king?

This approach introduces a deliberate pause between intent and action.

That pause is enough to prevent:

  • Accidental reboots of remote systems
  • Loss of SSH sessions
  • Interruptions to services and workloads
  • Unplanned downtime

It is not complexity. It is restraint.

When This Becomes Essential

This protection becomes valuable when:

  • Working across multiple SSH sessions
  • Using split terminal panes
  • Managing production systems
  • Operating over unstable focus environments
  • Running commands as root

A Further Strengthening

Instead of yes, require a stronger confirmation.

Example:

printf 'Type REBOOT to confirm: '

or even:

hostname=$(hostname)
printf 'Type %s to confirm reboot: ' "$hostname"

This removes accidental confirmations entirely.

Controlled Automation

That may be desirable, however for controlled automation a bypass flag can be added:

if [[ "$1" == "--force" ]]; then
    exec /usr/bin/systemctl "${@:2}"
fi

So:

systemctl --force reboot

remains available for trusted automation.

Preserve exit codes properly

Make sure the wrapper ends with:

exec /usr/bin/systemctl "$@"

Intentional Confirmation — Second Word Gate

Before executing any critical action (example: !reboot, destructive ops, reset paths), perform a second confirmation using a randomly selected word from the list below.

This slows the action, introduces intent, and forces awareness.

Process

  1. Type: yes
  2. System presents a random word from the list
  3. Read the word carefully
  4. Re-type the exact word to proceed

Only then is the action accepted.

Word List (20)

  • doh, banana, pickle, wobble, snorkel, flapjack, pudding, zigzag, boing, noodle, biscuit, splat, quack, muffin, oopsie, wiggle, jellybean, bonkers, plonker, tiddlywink

Notes

  • Words are intentionally light, slightly absurd, and attention-grabbing
  • This prevents muscle-memory confirmation
  • The brain must engage before proceeding

Example

> !reboot
CONFIRM: type yes
> yes
CONFIRM WORD: snorkel
> snorkel
EXECUTING...

Optional Extension

  • Rotate word list daily
  • Increase list to 50+ words
  • Add mismatch penalty (reset confirmation flow)

This acts as belt-and-braces protection for any high-impact operation.

Example Script — Random Word Confirmation Wrapper

#!/bin/sh

WORDS="doh banana pickle wobble snorkel flapjack pudding zigzag boing noodle biscuit splat quack muffin oopsie wiggle jellybean bonkers plonker tiddlywink"

printf 'Type yes to continue: '
read ans

if [ "$ans" != "yes" ]; then
    printf 'Cancelled.
'
    exit 1
fi

count=$(printf '%s
' $WORDS | wc -l)
index=$(( ($(date +%s) + $$) % count + 1 ))
word=$(printf '%s
' $WORDS | sed -n "${index}p")

printf 'Type this word to confirm: %s
> ' "$word"
read confirm

if [ "$confirm" != "$word" ]; then
    printf 'Wrong word. Cancelled.
'
    exit 1
fi

printf 'Confirmed. Executing protected command...
'
exec "$@"

How To Use The Script

Save it as:

/usr/local/bin/confirm-word

Make it executable:

sudo chmod 755 /usr/local/bin/confirm-word

Then use it to protect dangerous commands.

Example:

confirm-word /usr/bin/systemctl reboot

or:

confirm-word /usr/bin/systemctl poweroff

or inside another wrapper:

#!/bin/sh
exec /usr/local/bin/confirm-word /usr/bin/systemctl reboot "$@"

This allows the same confirmation engine to be reused for reboot, shutdown, flashing, wiping, service restarts, or any other command that deserves a second deliberate pause.

Closing

The system does exactly what it is told. There is no hesitation, no question, no pause.
So the pause must be introduced deliberately. Not after failure. Before it.