Not true. I just tried on i386 Red hat 6.0.

I've done it on 2 separate RH 6.0 boxen. When I'm remote, and have my
display set to the local root window, I get a popup box when I type
"shutdown -r now" that prompts me for the password. I enter my
username, and the remote box reboots. And if I don't have my DISPLAY
enviornment var set, it just prompts me for the password. And then
promptly reboots.

OK, got it now. Off to Michael to explain the functionality of
PAM console ...

This is expected behavior when you are "at the console".  "Console
users" are given all sorts of access, including ownership of
devices like floppies and sound cards, and are also given permission
to run various programs (normally after giving their password, but
that is configurable on a per-program basis).  man pam_console for
more information.  This can be turned off by removing files from
/etc/security/console.apps/ -- just don't remove the xserver file
or X will no longer start for anyone but root.

If this happens for a login that is not at the physical console,
then I most certainly want to know about it.  Keep in mind,
however, that if you are logged in BOTH remotely AND locally
that the remote login has the same privileges as the local login
until all your local login sessions terminate.

*** Bug 2714 has been marked as a duplicate of this bug. ***

The /usr/bin/shutdown has a BIG BUG
anyone can shutdown a the computer using his OWN password!!!
this can be disabled by removing all the filepermissions
for other users on the file /usr/local/consolehelper

but this is NOT a bugfix, it is only temporarily!!!