Can't reboot/poweroff as normal user

oeut1341 · 2017-06-21 10:15:10

Since a few days (couple of weeks?) I can't seem to reboot/poweroff my machine anymore as a regular user. Choosing shutdown from the KDE menu only logs me out and takes me back to the sddm login screen. I can still poweroff/reboot from the login screen or by using sudo, so it's probably related to dbus/polkit/logind.

Running "poweroff" from konsole results in this:

% poweroff
Failed to set wall message, ignoring: Interactive authentication required.
Failed to power off system via logind: Interactive authentication required.
Failed to talk to init daemon.

Using "systemctl poweroff":

% systemctl poweroff                                
Failed to set wall message, ignoring: Interactive authentication required.
Failed to power off system via logind: Interactive authentication required.
Failed to start poweroff.target: Interactive authentication required.
See system logs and 'systemctl status poweroff.target' for details.

The following then pops up in journalctl:

 6月 21 12:08:35 oeut1341-pc polkitd[2102]: Registered Authentication Agent for unix-process:8621:46074 (system bus name :1.1873 [<unknown>], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale ja_JP.utf8)
 6月 21 12:08:35 oeut1341-pc polkitd[2102]: Unregistered Authentication Agent for unix-process:8621:46074 (system bus name :1.1873, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale ja_JP.utf8) (disconnected from bus)

After some googling around I suspect the following should return 'string "yes"' instead of 'string "challenge"':

% dbus-send --print-reply --system --dest=org.freedesktop.login1 /org/freedesktop/login1 org.freedesktop.login1.Manager.CanReboot
method return time=1498039814.868591 sender=:1.1 -> destination=:1.2276 serial=117 reply_serial=2
   string "challenge"

But I haven't made any changes to polkit...? Maybe someone better acquainted with logind/dbus/etc. could point me in the right direction

Last edited by oeut1341 (2017-06-21 10:18:58)

V1del · 2017-06-21 10:51:02

How do you login, how do you start X? Outputs/contents of your .xinitrc if present, and of

printenv DBUS_SESSION_BUS_ADDRESS
loginctl show-session $XDG_SESSION_ID

Have you seen and gone through the suggestions in one of the many other threads popping up with this or similar issues like e.g.?: https://bbs.archlinux.org/viewtopic.php?id=227275

oeut1341 · 2017-06-21 12:12:02

Local session, login with sddm. X started by sddm too. No .xinitrc or startx or anything.

% printenv DBUS_SESSION_BUS_ADDRESS
unix:path=/run/user/1000/bus

% loginctl show-session $XDG_SESSION_ID
Id=c2
User=1000
Name=oeut1341
Timestamp=Wed 2017-06-21 12:01:18 GMT
TimestampMonotonic=23325829
VTNr=1
Seat=seat0
Display=:0
Remote=no
Service=sddm
Desktop=KDE
Scope=session-c2.scope
Leader=2236
Audit=0
Type=x11
Class=user
Active=yes
State=active
IdleHint=no
IdleSinceHint=0
IdleSinceHintMonotonic=0
LockedHint=no

Thanks for mentioning that thread. I'll take a look at it on the evening.

oeut1341 · 2017-06-22 09:53:21

Nope. https://bugs.archlinux.org/task/54396 is not it: the only service I had in ~/.config/systemd/user which could conflict with gpg-agent was ssh-agent, but disabling it did not do anything...

Last edited by oeut1341 (2017-06-22 09:54:51)

seth · 2017-06-22 19:53:50

pacman -Qkk systemd

In doubt paste your version of /usr/share/polkit-1/actions/org.freedesktop.login1.policy and check for overrides in /etc/polkit-1 (you'll need root permissions to inspect rules.d)

ewaller · 2017-06-22 20:55:02

When the shutdown or reboot fails and requires interactive authentication, what is the output of who
?

oeut1341 · 2017-06-23 18:31:53

% pacman -Qkk systemd
backup file: systemd: /etc/systemd/logind.conf (Modification time mismatch)
backup file: systemd: /etc/systemd/logind.conf (Size mismatch)
systemd: 1368 total files, 0 altered files

In logind.conf only the following is uncommented:

% cat logind.conf | egrep -v '^#'

[Login]
IdleAction=lock
IdleActionSec=5min

Pastebin: /usr/share/polkit-1/actions/org.freedesktop.login1.policy

% sudo ls -a /etc/polkit-1/rules.d/
.  ..  50-default.rules

% sudo cat /etc/polkit-1/rules.d/50-default.rules
/* -*- mode: js; js-indent-level: 4; indent-tabs-mode: nil -*- */

// DO NOT EDIT THIS FILE, it will be overwritten on update
//
// Default rules for polkit
//
// See the polkit(8) man page for more information
// about configuring polkit.

polkit.addAdminRule(function(action, subject) {
    return ["unix-group:wheel"];
});

I suspected some program inhibiting shutdown or similar, but no:

% systemd-inhibit --list 
0 inhibitors listed.

----

X session:

% who
oeut1341 pts/0        2017-06-23 20:14 (:0)
oeut1341 pts/1        2017-06-23 20:14 (:0)

TTY:

% who
oeut1341 tty2         2017-06-23 20:13

In both cases the same "Interactive authentication required" etc. error. So not related to X it seems...

Last edited by oeut1341 (2017-06-23 18:32:45)

seth · 2017-06-23 19:08:21

Let's see whether we can get more data on the failure ...

pkaction --verbose --action-id org.freedesktop.login1.power-off

oeut1341 · 2017-06-23 19:52:48

% pkaction --verbose --action-id org.freedesktop.login1.power-off
org.freedesktop.login1.power-off:
  description:       Power off the system
  message:           Authentication is required for powering off the system.
  vendor:            The systemd Project
  vendor_url:        http://www.freedesktop.org/wiki/Software/systemd
  icon:              
  implicit any:      auth_admin_keep
  implicit inactive: auth_admin_keep
  implicit active:   yes
  annotation:        org.freedesktop.policykit.imply -> org.freedesktop.login1.set-wall-message

seth · 2017-06-23 20:17:23

Let's try something else, what if you set org.freedesktop.login1.set-wall-message to "yes" for all three categories in /usr/share/polkit-1/actions/org.freedesktop.login1.policy ?
iirc polkitd reloads the config on SIGHUP.

oeut1341 · 2017-06-26 09:47:34

<allow_any>yes</allow_any>                  
<allow_inactive>yes</allow_inactive>                    
<allow_active>yes</allow_active>

Works (yay!):

% dbus-send --print-reply --system --dest=org.freedesktop.login1 /org/freedesktop/login1 org.freedesktop.login1.Manager.CanReboot
method return time=1498470230.453532 sender=:1.0 -> destination=:1.8369 serial=103 reply_serial=2
   string "yes"

Now to find the culprit...

<allow_any>auth_admin_keep</allow_any>
<allow_inactive>yes</allow_inactive>                    
<allow_active>yes</allow_active>

This doesn't work:

% dbus-send --print-reply --system --dest=org.freedesktop.login1 /org/freedesktop/login1 org.freedesktop.login1.Manager.CanReboot
method return time=1498470197.469885 sender=:1.0 -> destination=:1.8236 serial=99 reply_serial=2
   string "challenge"

From polkit man:

allow_any
Implicit authorizations that apply to any client. Optional.
allow_inactive
Implicit authorizations that apply to clients in inactive
sessions on local consoles. Optional.
allow_active
Implicit authorizations that apply to clients in active
sessions on local consoles. Optional.

So is somehow my session being seen as a remote one? But loginctl says Remote=no

Last edited by oeut1341 (2017-06-26 09:48:20)

seth · 2017-06-26 13:03:53

1. org.freedesktop.login1.power-off still needs authentication for remote and inactive users
2. org.freedesktop.login1.set-wall-message is auth_admin_keep for anyone anyway, ie. needs previous privileges anyway

Wild guess:

stat `which wall`

oeut1341 · 2017-06-28 12:38:46

% stat $(which wall)
  File: /usr/bin/wall
  Size: 27368           Blocks: 56         IO Block: 4096   regular file
Device: 802h/2050d      Inode: 1191691     Links: 1
Access: (2755/-rwxr-sr-x)  Uid: (    0/    root)   Gid: (    5/     tty)
Access: 2017-04-01 12:51:35.000000000 +0200
Modify: 2017-03-26 23:54:41.000000000 +0200
Change: 2017-04-01 12:51:35.490841789 +0200
 Birth: -

seth · 2017-06-28 12:45:16

Nope, suid'd for UID0 :-(

org.freedesktop.login1.power-off seems to call org.freedesktop.login1.set-wall-message in the context of the unprivileged user, but I've no idea why that's the case :-(

oeut1341 · 2017-07-05 09:55:16

Update: I added a couple of "debug" rules to /etc/polkit-1/rules.d/, i.e., polkit.log(...), and then caught these messages in the logs:

oeut1341-pc polkitd[15890]: /etc/polkit-1/rules.d/20-debug.rules:6: subject: [Subject pid=2759 user='oeut1341' groups=oeut1341,adm,disk,wheel,video,audio,scanner seat='' session='' local=false active=false]

So it seems polkit thinks my session is neither local nor active... while loginctl says otherwise (see post #3).

Arch Linux

#1 2017-06-21 10:15:10

Can't reboot/poweroff as normal user

#2 2017-06-21 10:51:02

Re: Can't reboot/poweroff as normal user

#3 2017-06-21 12:12:02

Re: Can't reboot/poweroff as normal user

#4 2017-06-22 09:53:21

Re: Can't reboot/poweroff as normal user

#5 2017-06-22 19:53:50

Re: Can't reboot/poweroff as normal user

#6 2017-06-22 20:55:02

Re: Can't reboot/poweroff as normal user

#7 2017-06-23 18:31:53

Re: Can't reboot/poweroff as normal user

#8 2017-06-23 19:08:21

Re: Can't reboot/poweroff as normal user

#9 2017-06-23 19:52:48

Re: Can't reboot/poweroff as normal user

#10 2017-06-23 20:17:23

Re: Can't reboot/poweroff as normal user

#11 2017-06-26 09:47:34

Re: Can't reboot/poweroff as normal user

#12 2017-06-26 13:03:53

Re: Can't reboot/poweroff as normal user

#13 2017-06-28 12:38:46

Re: Can't reboot/poweroff as normal user

#14 2017-06-28 12:45:16

Re: Can't reboot/poweroff as normal user

#15 2017-07-05 09:55:16

Re: Can't reboot/poweroff as normal user

Board footer