The default gdm configuration allows anyone in front of the console to reboot or halt the machine without having to surrender any sort of password. This is especially peculiar as, once you log in, you will have to give a password to do this. I believe that the default should be to require the root password before allowing halt/shutdown.
we believe that a user having console access already has more than enough opportunity to halt or reboot the machine physically. In the case of a "cluster" type situation where a network of workstations is installed in a public area, this can easily be changed via a modified configuration. However, the defaults are appropriate in the majority of cases.
*** Bug 6839 has been marked as a duplicate of this bug. ***