Is there any way to prevent non-root users from rebooting the system?

andrej.podzimek · 2014-03-09 09:55:32

This question seems to be addressed many times on the web, but the problem is that none of the wannabe-howtos work on my system. In particular, this doesn't work and this doesn't work either, because (1) I need to keep policykit installed for udisks and other dependencies to function and (2) renaming (or removing) the file /usr/share/polkit-1/actions/org.freedesktop.login1.policy has (again) no effect on the users' ability to reboot and shut down the system. Even more surprisingly, adding the following to /etc/polkit-1/rules.d/20-disable-shutdown.rules has no effect at all:

polkit.addRule(function(action, subject) {
        if (
                action.id == "org.freedesktop.login1.power-off" ||
                action.id == "org.freedesktop.login1.reboot" ||
                action.id == "org.freedesktop.login1.suspend" ||
                action.id == "org.freedesktop.upower.suspend" ||
                action.id == "org.freedesktop.login1.hibernate" ||
                action.id == "org.freedesktop.upower.hibernate"
        ) {
                return polkit.Result.NO;
        }
});

As a result, ordinary users (not in the wheel group and with no special permissions) can simply reboot the machine by typing reboot. I remember that a simple polkit rule (as proposed on the Fedora forum) worked fine just a few months ago, but this doesn't work nowadays. The action IDs mentioned there are no longer listed in pkaction, so it's quite obvious that some changes (and bugs) have been introduced since then. I just need to prevent the users from rebooting the machine and to keep policykit installed. Is there any way to do this?

karol · 2014-03-09 10:07:38

Do said users have the ability to push the Power or Reset buttons?

Spider.007 · 2014-03-09 10:09:51

I think this is caused by https://wiki.archlinux.org/index.php/Sy … management; systemd decides a user is allowed to reboot a machine if no other sessions are active. I am not sure if this is configurable

andrej.podzimek · 2014-03-09 17:10:23

karol wrote:

Do said users have the ability to push the Power or Reset buttons?

No, they don't.

But come on, access permissions are a matter of principle rather than a matter of what you can possibly do with a hammer in your hand. That makes your question somewhat irrelevant to this issue. Imagine someone asking: "How can I protect my home directory from access by other users?" You would then probably ask: "Do said users have the ability to pull out the hard drive and mount it on their computer?"

Even if the users had physical access to the ACPI buttons, rebooting the computer by mistake (via software) would still be much more likely than pressing (or even holding) the ACPI buttons by mistake.

If I call rm -Rf / as a normal user, nothing should happen to the system in terms of availability to other users. Only my home directory and temporary files would vanish, but that's all. This is what permissions are there for. Similarly, when I type reboot as a normal user (no matter if I'm on SSH, on a local terminal or logged into KDE), it should be possible to simply disallow rebooting.

The idea that users logged in locally can restart the computer may be fine for laptops under certain conditions, but it is a bad idea in almost all other cases. In a "kiosk" type environment, for example, the ability to reboot and get to the bootloader can be a huge security hole, unless all your disks are encrypted, and a huge "reliability hole" in any case. Suppose you use a desktop as a home server. You want everyone to be able to log in and to connect a USB flash drive (using polkit and udisks). But you simply don't want the machine to be rebooted. Why is such a simple thing so hard to do?

Last edited by andrej.podzimek (2014-03-10 02:15:35)

andrej.podzimek · 2014-03-09 17:21:15

Spider.007 wrote:

I think this is caused by https://wiki.archlinux.org/index.php/Sy … management; systemd decides a user is allowed to reboot a machine if no other sessions are active. I am not sure if this is configurable

Thanks for the link. So it seems that a quick hack would be to create some fake dummy user session on each boot (by just about any means), so that systemd thinks there are other active sessions. But this definitely doesn't look like a good permanent solution. Back in the days of consolekit, the rule preventing users from rebooting the machine just worked and it was even honored by KDM automatically by removing the reboot and power off options from the logout dialog. Nowadays you can manually configure KDM not to show these options, but that doesn't help, because anyone can just run the reboot command.

djgera · 2014-03-09 18:52:30

Looks like something crazy here, or an undocumented feature to me. I have similar polkit rules [#1]
Checking authorization via pkaction command returns correctly "Not authorized" in all cases. But executing reboot local (vt) or remote (ssh) or even with other users logged in the system (systemctl reboot -i) also reboot the system.

Maybe we should ask to upstream about this.

[#1] https://wiki.archlinux.org/index.php/User:Djgera#polkit

djgera · 2014-03-09 23:02:11

Here is the question: [systemd-devel] [210] logind bypasses polkit? bug or new feature?

ewaller · 2014-03-10 00:14:42

andrej.podzimek wrote:

You would then probably ask: "Do said users have the ability to pull out the hard drive and mount it on their computer?"

Absolutely. I understand you argument, but one must ask, why do you want to prevent them from rebooting. Rule one of security is to control physical access.

andrej.podzimek · 2014-03-10 02:12:47

ewaller wrote:

andrej.podzimek wrote:
You would then probably ask: "Do said users have the ability to pull out the hard drive and mount it on their computer?"
Absolutely. I understand you argument, but one must ask, why do you want to prevent them from rebooting. Rule one of security is to control physical access.

The machine works as a server, so rebooting it simply interrupts all the services the server provides. Although the users may not have any malicious intentions, it can (and does) happen that someone mistakenly treats the machine as their own laptop and types poweroff instead of logging off. Physical access to a keyboard and a monitor should not compromise the availability of the entire system, which is supposed to work in a "kiosk mode".

karol · 2014-03-10 02:20:47

poweroff () { echo "I'm sorry Dave, I'm afraid I can't do that"; }

?

progandy · 2014-03-10 02:35:32

It is a bug in systemd-logind. The code asks polkit for permission, but forgets to wait and evaluate the response.
http://cgit.freedesktop.org/systemd/sys … us.c#n1478
Somehow the three blocks are missing at least "if (r==0) return 1;"

WonderWoofy · 2014-03-10 02:38:11

I just tested this on my file server, and it does seem as though there is a bit of a bug here. It should require root access to reboot the machine remotely, but I can do it without. I have not tested the multi-user scenario, but it definitely seems like something is amiss.

I had already seen Djgera's email to systemd-devel, so hopefully that will get an answer soon. Then maybe you can get this working as you intend Andrej...

ewaller · 2014-03-10 05:28:43

I just read my response, and I realized it was incomplete. andrej.podzimek is right, there should be a way. My response was only as to the importance as to physical access control, and the folly if the concern is security. His is not.

andrej.podzimek · 2014-03-10 11:15:49

karol wrote:

poweroff () { echo "I'm sorry Dave, I'm afraid I can't do that"; }

?

How does that disable 'systemctl poweroff'? Of course I could make systemctl (and thus also poweroff, reboot and other symlinks to systemctl) non-executable for non-root users, but solutions of this kind will only last till the following update (of systemd). A warning function defined in /etc/profile doesn't help too much either, simply because access control should be mandatory rather than advisory, i.e., it shouldn't be as simple as adding 'poweroff () { systemctl poweroff; }' to my ~/.bash_profile.

Last edited by andrej.podzimek (2014-03-10 11:17:34)

djgera · 2014-03-10 22:59:12

Fixed: [systemd-devel] [210] logind bypasses polkit? bug or new feature?

Arch Linux

#1 2014-03-09 09:55:32

Is there any way to prevent non-root users from rebooting the system?

#2 2014-03-09 10:07:38

Re: Is there any way to prevent non-root users from rebooting the system?

#3 2014-03-09 10:09:51

Re: Is there any way to prevent non-root users from rebooting the system?

#4 2014-03-09 17:10:23

Re: Is there any way to prevent non-root users from rebooting the system?

#5 2014-03-09 17:21:15

Re: Is there any way to prevent non-root users from rebooting the system?

#6 2014-03-09 18:52:30

Re: Is there any way to prevent non-root users from rebooting the system?

#7 2014-03-09 23:02:11

Re: Is there any way to prevent non-root users from rebooting the system?

#8 2014-03-10 00:14:42

Re: Is there any way to prevent non-root users from rebooting the system?

#9 2014-03-10 02:12:47

Re: Is there any way to prevent non-root users from rebooting the system?

#10 2014-03-10 02:20:47

Re: Is there any way to prevent non-root users from rebooting the system?

#11 2014-03-10 02:35:32

Re: Is there any way to prevent non-root users from rebooting the system?

#12 2014-03-10 02:38:11

Re: Is there any way to prevent non-root users from rebooting the system?

#13 2014-03-10 05:28:43

Re: Is there any way to prevent non-root users from rebooting the system?

#14 2014-03-10 11:15:49

Re: Is there any way to prevent non-root users from rebooting the system?

#15 2014-03-10 22:59:12

Re: Is there any way to prevent non-root users from rebooting the system?

Board footer