SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Guys, are there any polkit-1 rules files to control what a user does with loginctl? Specifically, I'm looking to limit poweroff/reboot. It looks like any user can just shutdown or reboot regardless of whether they are in the 'power' group or not.
I don't install kde, so I might be missing some config files if they're somewhere in the kde set. I just run xdm and fvwm.
Am I missing some polkit rules because I didn't install the kde set, or are they just not implemented yet? If so, could someone please point me at the package.
Guys, are there any polkit-1 rules files to control what a user does with loginctl? Specifically, I'm looking to limit poweroff/reboot. It looks like any user can just shutdown or reboot regardless of whether they are in the 'power' group or not.
I don't install kde, so I might be missing some config files if they're somewhere in the kde set. I just run xdm and fvwm.
Am I missing some polkit rules because I didn't install the kde set, or are they just not implemented yet? If so, could someone please point me at the package.
definitely a good point, same wonder, same issue on polkit here. scary for servers.
it seems something got identified in elogin circa feb 2020 and changed in version 246? circa december 2020, i am lost here.
with a root user logged in on the machine the suspend command will not be honored unless -i is issued. but that doesn't address our issue.
Quote:
$ loginctl suspend
User root is logged in on tty1.
Please retry operation after closing inhibitors and logging out other users.
Alternatively, ignore inhibitors and users with 'loginctl suspend -i'.
you would say that polkit + elogind code should just work properly together and that's it, right ?
with time it will i suppose, it seems we are on elogind-243.7-x86_64-1 for now, maybe i will work with 246 and above
result: reboot and poweroff can be done by any user in group "power" so long as there are not multiple active sessions, or any other inhibitors: Users not in "power" can't shutdown or reboot at all. This feels like a good default to me.
I just need to think about what I'm going to do with the suspend/hibernate rules now.
I'll mark this as solved. Thanks to all who commented.
GazL, your workaround does the job but I am not convinced it should be necessary. The elogind package provides default rules in /usr/share/polkit-1/actions/org.freedesktop.login1.policy. These seem to allow amongst many other things a single user in an active session to power-off and reboot without additional authentication. Possibly elogind does not detect an active user correctly.
Edit: Something weird is going on for me after starting xfce using a DM, in my case lightdm. Entering as root 'loginctl list' gives "No sessions", and 'loginctl list-users' gives "No users". If I start from the console with startx, then I get the correct results.
Solved: I needed to add a line 'session optional pam_elogind.so' to my DM's pam file in /etc/pam.d.
The policy also allows an active user to shutdown multiple-sessions.
Code:
<action id="org.freedesktop.login1.power-off-multiple-sessions">
<description gettext-domain="systemd">Power off the system while other users are logged in</description>
<message gettext-domain="systemd">Authentication is required for powering off the system while other users
are logged in.</message>
<defaults>
<allow_any>auth_admin_keep</allow_any>
<allow_inactive>auth_admin_keep</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.imply">org.freedesktop.login1.power-off</annotate>
</action>
I suppose it could also be tightened up by changing the policy to "no", or "auth_admin", which would lock it down a little more, but personally I prefer to tie the ability to shutdown/reboot to the 'power' group like it used to be, and for that rules are required (as far as I can tell).
Pat may not even want to change this. Maybe some folk prefer this level of permissiveness, but I'm more comfortable locking it down.
P.S.
I've only tried this with xdm and on the tty consoles. I don't use any other DMs.
Last edited by GazL; 12-09-2020 at 04:36 AM.
Reason: clarified
I only started looking at this stuff yesterday, so I'm learning as I go alone, but, as the ssh login is not in a login1 session I assume the <allow_any> rule in the policy applies, which says "auth_admin_keep": i.e. prompt the user for the admin password, but as there's no mechanism in ssh to provide that dialog it should fail.
Feels kind of messy though. Maybe <allow_any> should be "no" for these options?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.