[solved] How to enable password request for restart and shutdown?

Ralf · 2015-06-21 16:43:06

Hi,

I'm neither a Linux nor an Arch Linux newbie, but inexperienced regarding this particular issue.
I want to enable password request for restart and shutdown and want to know if I'm mistaken, because trial and error might become to time-consuming while working on a project.

I read https://wiki.archlinux.org/index.php/Al … o_shutdown.

$ ls -hAl /usr/bin/shutdown
lrwxrwxrwx 1 root root 9 Apr 22 03:02 /usr/bin/shutdown -> systemctl

If I try to run $ shutdown -hP 28 or $ shutdown -c nothings happens, I need to run $ sudo shutdown -hP 28 and $ sudo shutdown -c and type a password. That's the way I want it.

If I e.g. run $ shutdown -r now no password is needed. I want to disable this. It should behave the same way as shutdown -hP/-c behave. I want to type
$ sudo shutdown -r now or $ sudo systemctl reboot etc. and then the password should be required.

$ sudo grep -vn "#" /etc/sudoers | grep [[:blank:]]
72:root ALL=(ALL) ALL
73:rocketmouse ALL=(ALL) ALL

The user "rocketmouse" should have all permissions after typing a password, but not without typing the password.

IIUC what's written at https://wiki.archlinux.org/index.php/Polkit, I need to edit

$ pkaction | grep login
org.freedesktop.accounts.set-login-option
org.freedesktop.login1.attach-device
org.freedesktop.login1.flush-devices
org.freedesktop.login1.hibernate
org.freedesktop.login1.hibernate-ignore-inhibit
org.freedesktop.login1.hibernate-multiple-sessions
org.freedesktop.login1.inhibit-block-idle
org.freedesktop.login1.inhibit-block-shutdown
org.freedesktop.login1.inhibit-block-sleep
org.freedesktop.login1.inhibit-delay-shutdown
org.freedesktop.login1.inhibit-delay-sleep
org.freedesktop.login1.inhibit-handle-hibernate-key
org.freedesktop.login1.inhibit-handle-lid-switch
org.freedesktop.login1.inhibit-handle-power-key
org.freedesktop.login1.inhibit-handle-suspend-key
org.freedesktop.login1.power-off
org.freedesktop.login1.power-off-ignore-inhibit
org.freedesktop.login1.power-off-multiple-sessions
org.freedesktop.login1.reboot
org.freedesktop.login1.reboot-ignore-inhibit
org.freedesktop.login1.reboot-multiple-sessions
org.freedesktop.login1.set-user-linger
org.freedesktop.login1.suspend
org.freedesktop.login1.suspend-ignore-inhibit
org.freedesktop.login1.suspend-multiple-sessions
org.freedesktop.machine1.login

IOW I need to replace every yes and no etc. with auth_admin in $ grep -v lang /usr/share/polkit-1/actions/org.freedesktop.login1.policy.

Am I mistaken?

Regards,
Ralf

Last edited by Ralf (2015-07-19 18:29:12)

progandy · 2015-06-21 17:40:38

You'll need to create a rules file which uses javascript.
https://wiki.archlinux.org/index.php/Po … tion_rules

// /etc/polkit-1/rules.d/10-admin-shutdown-reboot.rules

polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.login1.power-off" ||
        action.id == "org.freedesktop.login1.power-off-ignore-inhibit" ||
/*...SOME_MORE_IDS_HERE...*/ 
    ) {
        // return polkit.Result.AUTH_ADMIN_KEEP;
        return polkit.Result.AUTH_SELF_KEEP;
    }
});

Last edited by progandy (2015-06-21 17:42:35)

nooblet · 2015-06-21 17:56:29

I copy pasted your code to a file named "10-admin-shutdown-reboot.rules" in the directory "/etc/polkit-1/rules.d/" and rebooted my computer. I still get the same error message "Forbidden". The output in the error log is still the same:

E [21/Jun/2015:13:54:16 -0400] [Client 17] Returning HTTP Forbidden for CUPS-Get-Devices (no URI) from localhost
E [21/Jun/2015:13:54:16 -0400] [CGI] CUPS-Get-Devices request failed with status 401: Forbidden

grandtheftjiujitsu · 2015-06-22 04:21:29

Not sure if you've tried this or not, but you could remove your user from the "power" group and replacing it with "root" (in /etc/group) so that you need to make a sudo request to run power (shutdown/restart) commands. You'd also need to reduce the current permissions for your user though (e.g., %wheel group rather a than current unrestricted access).

/etc/group
...
wheel:x:10:root,username
...
power:x:98:root
...

Ralf · 2015-07-19 18:32:26

Thank you :)

this solved the issue:

# cat /etc/polkit-1/rules.d/10-admin-shutdown-reboot.rules 
polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.login1.power-off" ||
        action.id == "org.freedesktop.login1.power-off-ignore-inhibit" ||
        action.id == "org.freedesktop.login1.power-off-multiple-sessions" ||
        action.id == "org.freedesktop.login1.reboot" ||
        action.id == "org.freedesktop.login1.reboot-ignore-inhibit" ||
        action.id == "org.freedesktop.login1.reboot-multiple-sessions"
    ) {
        return polkit.Result.AUTH_SELF_KEEP;
    }
});

Last edited by Ralf (2015-07-19 18:33:32)

Arch Linux

#1 2015-06-21 16:43:06

[solved] How to enable password request for restart and shutdown?

#2 2015-06-21 17:40:38

Re: [solved] How to enable password request for restart and shutdown?

#3 2015-06-21 17:56:29

Re: [solved] How to enable password request for restart and shutdown?

#4 2015-06-22 04:21:29

Re: [solved] How to enable password request for restart and shutdown?

#5 2015-07-19 18:32:26

Re: [solved] How to enable password request for restart and shutdown?

Board footer