[solved] Only allow root to suspend,reboot,shutdown without polkit

jrussell · 2013-05-16 18:41:06

I've done quite a bit of googleing but to no avail, I cant find a way to prevent local users from rebooting,shutting down and suspending.

I know that remote users cannot, And I know there is a thread on how to achieve this with polkit, but Id like to know if there is a way without it.

*edit

Id also like to know about the different ways in which one can suspend,reboot,shutdown.

Is running "suspend/reboot/poweroff" the same as running "systemctl reboot/suspend/poweroff"?

From what I see, when trying to perform any of these actions polkit it used

org.freedesktop.login1.reboot

But polkit is not a dependency of systemd or anything in the base group, so If I didnt have polkit installed, would remote users be able to reboot? (I cant remove polkit ath the moment to test for myself)

Last edited by jrussell (2013-05-17 15:03:27)

Raynman · 2013-05-16 19:25:04

systemd is a dependency of polkit.

jrussell wrote:

Is running "suspend/reboot/poweroff" the same as running "systemctl reboot/suspend/poweroff"?

Yes: (except that suspend is a shell builtin)

> ls -l /sbin/{shutdown,reboot,poweroff}
lrwxrwxrwx 1 root root 18 May  9 16:51 /sbin/poweroff -> /usr/bin/systemctl
lrwxrwxrwx 1 root root 18 May  9 16:51 /sbin/reboot -> /usr/bin/systemctl
lrwxrwxrwx 1 root root 18 May  9 16:51 /sbin/shutdown -> /usr/bin/systemctl

One solution I can think of is taking a blocking inhibitor lock. Simplest way would be something like

# systemd-inhibit --what=sleep:shutdown sleep 2147483647

jrussell · 2013-05-17 09:08:08

Cool, thanks.

Is polkit installed by default from the base group? I don't think it is. And from the systemd wiki "polkit is necessary for power management."

I'm wondering how remote users would be blocked from rebooting if polkit wasn't installed on a default system, and if polkit was removed, how would it all work.
Also from the wiki:
"If you are in a local systemd-logind user session and no other session is active, the following commands will work without root privileges. If not (for example, because another user is logged into a tty), systemd will automatically ask you for the root password."
This assumes polkit is installed? But as far as I can tell, polkit is not a dependency of systemd or anything in the base group.

rix · 2013-05-17 10:57:12

But normal users don't need root's password to poweroff, etc.?

Trilby · 2013-05-17 11:35:51

No polkit is not required - I don't have it installed. [systemctl] {poweroff,reboot,shutdown} requires sudo/root (and thus a password).

jrussell · 2013-05-17 15:03:13

Ok I have figured it out. Without polkit, you need to be root to shutdown,reboot,suspend. Something then ships the files in /usr/share/polkit-1/actions because they are there without polkit installed. Then if polkit is installed, those rules are used and override default settings.

/usr/share/polkit-1/actions/org.freedesktop.login1.policy has the rules for shutdown,reboot,suspend

So to answer my own question, one could either make a new polkit rules file to overwrite
/usr/share/polkit-1/actions/org.freedesktop.login1.policy

or just rename the file

Arch Linux

#1 2013-05-16 18:41:06

[solved] Only allow root to suspend,reboot,shutdown without polkit

#2 2013-05-16 19:25:04

Re: [solved] Only allow root to suspend,reboot,shutdown without polkit

#3 2013-05-17 09:08:08

Re: [solved] Only allow root to suspend,reboot,shutdown without polkit

#4 2013-05-17 10:57:12

Re: [solved] Only allow root to suspend,reboot,shutdown without polkit

#5 2013-05-17 11:35:51

Re: [solved] Only allow root to suspend,reboot,shutdown without polkit

#6 2013-05-17 15:03:13

Re: [solved] Only allow root to suspend,reboot,shutdown without polkit

Board footer