You are not logged in.

#1 2013-05-16 18:41:06

jrussell
Member
From: Cape Town, South Africa
Registered: 2012-08-16
Posts: 510

[solved] Only allow root to suspend,reboot,shutdown without polkit

I've done quite a bit of googleing but to no avail, I cant find a way to prevent local users from rebooting,shutting down and suspending.

I know that remote users cannot, And I know there is a thread on how to achieve this with polkit, but Id like to know if there is a way without it.

*edit

Id also like to know about the different ways in which one can suspend,reboot,shutdown.

Is running "suspend/reboot/poweroff" the same as running "systemctl reboot/suspend/poweroff"?

From what I see, when trying to perform any of these actions polkit it used

org.freedesktop.login1.reboot

But polkit is not a dependency of systemd or anything in the base group, so If I didnt have polkit installed, would remote users be able to reboot? (I cant remove polkit ath the moment to test for myself)

Last edited by jrussell (2013-05-17 15:03:27)


bitcoin: 1G62YGRFkMDwhGr5T5YGovfsxLx44eZo7U

Offline

#2 2013-05-16 19:25:04

Raynman
Member
Registered: 2011-10-22
Posts: 1,217

Re: [solved] Only allow root to suspend,reboot,shutdown without polkit

systemd is a dependency of polkit.

jrussell wrote:

Is running "suspend/reboot/poweroff" the same as running "systemctl reboot/suspend/poweroff"?

Yes: (except that suspend is a shell builtin)

> ls -l /sbin/{shutdown,reboot,poweroff}
lrwxrwxrwx 1 root root 18 May  9 16:51 /sbin/poweroff -> /usr/bin/systemctl
lrwxrwxrwx 1 root root 18 May  9 16:51 /sbin/reboot -> /usr/bin/systemctl
lrwxrwxrwx 1 root root 18 May  9 16:51 /sbin/shutdown -> /usr/bin/systemctl

One solution I can think of is taking a blocking inhibitor lock. Simplest way would be something like

# systemd-inhibit --what=sleep:shutdown sleep 2147483647

Offline

#3 2013-05-17 09:08:08

jrussell
Member
From: Cape Town, South Africa
Registered: 2012-08-16
Posts: 510

Re: [solved] Only allow root to suspend,reboot,shutdown without polkit

Cool, thanks.

Is polkit installed by default from the base group? I don't think it is. And from the systemd wiki "polkit is necessary for power management."

I'm wondering how remote users would be blocked from rebooting if polkit wasn't installed on a default system, and if polkit was removed, how would it all work.
Also from the wiki:
"If you are in a local systemd-logind user session and no other session is active, the following commands will work without root privileges. If not (for example, because another user is logged into a tty), systemd will automatically ask you for the root password."
This assumes polkit is installed? But as far as I can tell, polkit is not a dependency of systemd or anything in the base group.


bitcoin: 1G62YGRFkMDwhGr5T5YGovfsxLx44eZo7U

Offline

#4 2013-05-17 10:57:12

rix
Member
Registered: 2012-07-25
Posts: 232

Re: [solved] Only allow root to suspend,reboot,shutdown without polkit

But normal users don't need root's password to poweroff, etc.?

Offline

#5 2013-05-17 11:35:51

Trilby
Forum Fellow
From: Massachusetts, USA
Registered: 2011-11-29
Posts: 17,899
Website

Re: [solved] Only allow root to suspend,reboot,shutdown without polkit

No polkit is not required - I don't have it installed.  [systemctl] {poweroff,reboot,shutdown} requires sudo/root (and thus a password).


Resist the GNU world order.

Offline

#6 2013-05-17 15:03:13

jrussell
Member
From: Cape Town, South Africa
Registered: 2012-08-16
Posts: 510

Re: [solved] Only allow root to suspend,reboot,shutdown without polkit

Ok I have figured it out. Without polkit, you need to be root to shutdown,reboot,suspend. Something then ships the files in /usr/share/polkit-1/actions because they are there without polkit installed. Then if polkit is installed, those rules are used and override default settings.

/usr/share/polkit-1/actions/org.freedesktop.login1.policy has the rules for shutdown,reboot,suspend

So to answer my own question, one could either make a new polkit rules file to overwrite
/usr/share/polkit-1/actions/org.freedesktop.login1.policy

or just rename the file


bitcoin: 1G62YGRFkMDwhGr5T5YGovfsxLx44eZo7U

Offline

Board footer

Powered by FluxBB