You are not logged in.

Pages: 1

#1 2012-11-09 10:43:34

Dirk Sohler
Member
From: Hamburg, Germany
Registered: 2009-10-03
Posts: 109

[SOLVED] Deny systemctl poweroff/reboot/etc. for users

Edit: polkit messed it all up. As a quick fix I use this now (I’m VERY sure that this can be formatted better, but it works as expected) – btw. how to reload polkit rules without restart?

# cat /etc/polkit-1/rules.d/60-noreboot.rules 

polkit.addRule(function(action, subject) {
  if (action.id.indexOf("org.freedesktop.login1.hibernate") == 0) {
    return polkit.Result.AUTH_ADMIN;
  }
});

polkit.addRule(function(action, subject) {
  if (action.id.indexOf("org.freedesktop.login1.power-off") == 0) {
    return polkit.Result.AUTH_ADMIN;
  }
});

polkit.addRule(function(action, subject) {
  if (action.id.indexOf("org.freedesktop.login1.reboot") == 0) {
    return polkit.Result.AUTH_ADMIN;
  }
});

polkit.addRule(function(action, subject) {
  if (action.id.indexOf("org.freedesktop.login1.suspend") == 0) {
    return polkit.Result.AUTH_ADMIN;
  }
});

[tl;dr] I use systemd. I only want root to be able to shutdown or reboot the machine.

Hey there!

Today I was messing around with my system for administration purposes. After all was done I needed to make a reboot because of … because. But anyways … I typed in systemctl reboot as user, not as root. At the same moment I pressed enter I noticed my mistake and prepared myself to su and re-type that systemctl stuff. But nope … The system just rebooted.

After some research I learned that systemd allows users to reboot the machine if they’re alone on that machine.

This might be nice for single-user machines. I administer a multi-user machines and just don’t want my users to be able to reboot or shut down the machine at all.

It seems like no-one really asked that before, because Google and forum research on that topic wasn’t really helpful. I found some threads and pages on how to ENABLE this, but not on how to disable systemctl reboot (or better: the complete systemctl command) in a clean way. Working with the tutorials for enabling and just “invert” them didn’t work.

Any hints?

Kind regards,
Dirk

Last edited by Dirk Sohler (2012-11-11 11:49:29)

obrowse – Openbox pipemenu file browser (in AUR, on github)

Offline

#2 2012-11-09 11:16:54

flipper T
Member
Registered: 2012-09-14
Posts: 419

Re: [SOLVED] Deny systemctl poweroff/reboot/etc. for users

I am no expert, but can you not just remove the user from the "power" group ?

If I'm curt with you it's because time is a factor. I think fast, I talk fast and I need you guys to act fast if you wanna get out of this. So, pretty please... with sugar on top. Clean the [censored] car. -The Wolf

Offline

#3 2012-11-09 11:18:18

65kid
Member
From: Germany
Registered: 2011-01-26
Posts: 663

Re: [SOLVED] Deny systemctl poweroff/reboot/etc. for users

afaik in this case polkit rules are the proper way. There are a few good examples in the man page, so this shouldn't be too hard to set up.
see 

man polkit

and

pkaction | grep org.freedesktop.login1

Offline

#4 2012-11-09 11:36:37

loafer
Member
From: the pub
Registered: 2009-04-14
Posts: 1,772

Re: [SOLVED] Deny systemctl poweroff/reboot/etc. for users

flipper T wrote:

I am no expert, but can you not just remove the user from the "power" group ?

I don't think the power group has anything to do with systemd in this case.

All men have stood for freedom...
For freedom is the man that will turn the world upside down.
Gerrard Winstanley.

Offline

#5 2012-11-11 11:30:18

Dirk Sohler
Member
From: Hamburg, Germany
Registered: 2009-10-03
Posts: 109

Re: [SOLVED] Deny systemctl poweroff/reboot/etc. for users

Can’t remove polkit without breaking colord and thus cups and gtk3.

$ groups
video audio optical users

I’m trying to learn how to configure polkit (I was SO hoping to get rid of it with systemd sad).

obrowse – Openbox pipemenu file browser (in AUR, on github)

Offline

#6 2012-11-11 11:54:24

kaszak696
Member
Registered: 2009-05-26
Posts: 543

Re: [SOLVED] Deny systemctl poweroff/reboot/etc. for users

You can get rid of polkit by installing empty colord-fake package from aur. Cups seems to be ok with it.

'What can be asserted without evidence can also be dismissed without evidence.' - Christopher Hitchens
'There's no such thing as addiction, there's only things that you enjoy doing more than life.' - Doug Stanhope
GitHub Junkyard

Offline

#7 2012-12-24 09:46:57

jrussell
Member
From: Cape Town, South Africa
Registered: 2012-08-16
Posts: 510

Re: [SOLVED] Deny systemctl poweroff/reboot/etc. for users

loafer wrote:
flipper T wrote:

I am no expert, but can you not just remove the user from the "power" group ?

I don't think the power group has anything to do with systemd in this case.

I cant reboot or shutdown from a user that is not in the 'power' group. Is this not how its supposed to work?

*edit

sorry this is only true if connecting remotely

Last edited by jrussell (2013-01-15 13:57:32)

bitcoin: 1G62YGRFkMDwhGr5T5YGovfsxLx44eZo7U

Offline

#8 2013-10-09 15:32:46

wombalton
Member
Registered: 2011-07-18
Posts: 17

Re: [SOLVED] Deny systemctl poweroff/reboot/etc. for users

Just in case someone is interested in it:

An example to restrict poweroff to memebers of group power and admins:

polkit.addRule(function(action, subject) {
  if (action.id.indexOf("org.freedesktop.login1.power-off") == 0) {
	if (subject.isInGroup("power")) {
		return polkit.Result.YES;
	} else {
		return polkit.Result.AUTH_ADMIN;
	}
  }
});

source: http://www.freedesktop.org/software/pol … kit.8.html

Last edited by wombalton (2013-10-09 15:48:14)

Offline

Pages: 1

Board footer

Powered by FluxBB