The default for the shutdown button on the login box allows anyone to use it to shutdown the system.
The section in /usr/share/config/kdmrc controlling who may use this button looks like this:
#ShutdownButton=RootOnly
ShutdownButton=ConsoleOnly
To enable only the root user to shutdown the system, change the lines as shown below:
ShutdownButton=RootOnly
#ShutdownButton=ConsoleOnly
Clicking the shutdown button will now prompt for the root password before shutting down the system.