Thanks!
]]>it blocks the xfce4/whiskermenu [...] I just want to have the shell blocked.
The default polkit rules will allow [xfce] user sessions to shutdown via D-Bus.
To prevent a command being executed, remove the execute bit:
# chmod o-x /usr/bin/systemctl
Can sudo to execute directly.
]]>i want to protect myself accidentally invoking this command
In that case the most simple and straight forward approach is to shadow the command w/ a script that checks the UID before running the actual command, ie.
/usr/local/bin/reboot
#!/bin/sh
[ $UID = 0 ] && /bin/reboot
For this reason, there are additional actions that need auth:
# cat /etc/polkit-1/rules.d/10-admin-shutdown-reboot.rules
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.login1.power-off" ||
action.id == "org.freedesktop.login1.power-off-ignore-inhibit" ||
action.id == "org.freedesktop.login1.power-off-multiple-sessions" ||
action.id == "org.freedesktop.login1.set-reboot-parameter" ||
action.id == "org.freedesktop.login1.set-reboot-to-firmware-setup" ||
action.id == "org.freedesktop.login1.set-reboot-to-boot-loader-menu" ||
action.id == "org.freedesktop.login1.set-reboot-to-boot-loader-entry" ||
action.id == "org.freedesktop.login1.reboot" ||
action.id == "org.freedesktop.login1.reboot-ignore-inhibit" ||
action.id == "org.freedesktop.login1.reboot-multiple-sessions"
) {
return polkit.Result.AUTH_SELF_KEEP;
}
});
such a rule in sudoers would not magically allow the bare command
Any program, including systemd, can magically use sudo NOPASSWD behind the scenes:
$ cat bin/systemd.py
#!/usr/bin/env python3
import os
os.system('sudo reboot')
$ ln -sv systemd.py bin/reboot
'bin/reboot' -> 'systemd.py'
$ bin/reboot
Admittedly though, that's not the case here, as indicated by the difference in systemd behavior between halt and reboot.
]]>pkcheck -u -p $$ -a org.freedesktop.login1.reboot; echo $?
If it throws '0' we are in the same boat.
Edit: Btw, the polkit rules above also disable 'shutdown' in my xfce startmenu (whiskermenu). Needs an exception or something if it might be useful one day.
]]>I've tried /etc/polkit-1/rules.d/10-admin-shutdown-reboot.rules from above and all rules work but the reboot one (wtf?!).
Do you have some sudo rule alternatively allowing this? eg.
%wheel ALL = NOPASSWD: /sbin/reboot
Required By : accountsservice colord cups-pk-helper gconf libvirt mate-polkit mate-settings-daemon
networkmanager packagekit polkit-gnome polkit-qt5 rtkit udisks2 xfce4-session
I can live with polkit. The question is rather why it doesn't work. I suspect systemd but 'systemctl reboot' is not really a service.
]]>Notwithstanding the claim that it is a dependency of virtual everything (it isn't), I've never had it on any of my systems.
]]>I will try to find some debug functions for systemctl to report what it's doing exactly.
]]>pkcheck -u -p $$ -a org.freedesktop.login1.reboot
This gives exit 0. All other rules give exit 3 and get denied successfully.
I couldn't find the culprit yet.
Ideas?
$ pkaction -v -a org.freedesktop.login1.reboot
org.freedesktop.login1.reboot:
description: Reboot the system
message: Authentication is required for rebooting the system.
vendor: The systemd Project
vendor_url: http://www.freedesktop.org/wiki/Software/systemd
icon:
implicit any: auth_admin_keep
implicit inactive: auth_admin_keep
implicit active: yes
annotation: org.freedesktop.policykit.imply -> org.freedesktop.login1.set-wall-message