[Solved] Disallow 'reboot' for non-root users

Maniaxx · 2019-12-03 02:33:52

I want to prevent 'reboot' (and 'shutdown') for non-root users (should be 'sudo' only). Or in other words, i want to protect myself accidentally invoking this command. The wiki explains only the opposite: How to allow non-root users. I have to admit i can't remember anymore if i once enabled something like this before indeed (for whatever reason). If so, i cannot find the place anymore. There's nothing in 'sudoers' and my groups are 6(disk),10(wheel),92(audio),93(optical),95(storage),108(vboxusers),150(wireshark),983(realtime),986(libvirt),989(samba),1002(wine),1004(lxd).
I use xfce with startx.

Any ideas?
Is it default behavior in Arch that non-root users can 'reboot' by shell?

Last edited by Maniaxx (2019-12-08 18:28:35)

seth · 2019-12-03 08:26:13

It's the default w/ systemd an non-broken sessions - https://wiki.archlinux.org/index.php/Al … emd-logind
=> /usr/share/polkit-1/actions/org.freedesktop.login1.policy

sabroad · 2019-12-03 12:24:08

Maniaxx wrote:

i want to protect myself accidentally invoking this command

See [solved] How to enable password request for restart and shutdown?

# cat /etc/polkit-1/rules.d/10-admin-shutdown-reboot.rules 
polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.login1.power-off" ||
        action.id == "org.freedesktop.login1.power-off-ignore-inhibit" ||
        action.id == "org.freedesktop.login1.power-off-multiple-sessions" ||
        action.id == "org.freedesktop.login1.reboot" ||
        action.id == "org.freedesktop.login1.reboot-ignore-inhibit" ||
        action.id == "org.freedesktop.login1.reboot-multiple-sessions"
    ) {
        return polkit.Result.AUTH_SELF_KEEP;
    }
});

Alternatively

return polkit.Result.NO

to flat out deny, but prompting for password should be sufficient to avoid accidental use (whilst retaining convenience).

Trilby · 2019-12-03 12:37:51

seth wrote:

It's the default w/ systemd an non-broken sessions

No it isn't. The default is for regular users to not be able to issue these commands. Even according to the link you posted, if you want to change this behavior to allow users to run these commands, you should install polkit (which is not part of a "default" or base install).

If you previously installed polkit to acheive this behavior and do not want it, remove polkit.

Last edited by Trilby (2019-12-03 12:45:44)

seth · 2019-12-03 12:47:09

which is not part of a "default" or base instal

True, but it's a dep for among others udisks2 and an optional dep for systemd and to be found on every non-minimal environment.
I'll concede that "default" is highly subjective in this context and up for interpretation here, though.

Maniaxx · 2019-12-03 19:21:59

I've tried /etc/polkit-1/rules.d/10-admin-shutdown-reboot.rules from above and all rules work but the reboot one (wtf?!).

pkcheck -u -p $$ -a org.freedesktop.login1.reboot

This gives exit 0. All other rules give exit 3 and get denied successfully.

I couldn't find the culprit yet.

Ideas?

$ pkaction -v -a org.freedesktop.login1.reboot
org.freedesktop.login1.reboot:
  description:       Reboot the system
  message:           Authentication is required for rebooting the system.
  vendor:            The systemd Project
  vendor_url:        http://www.freedesktop.org/wiki/Software/systemd
  icon:              
  implicit any:      auth_admin_keep
  implicit inactive: auth_admin_keep
  implicit active:   yes
  annotation:        org.freedesktop.policykit.imply -> org.freedesktop.login1.set-wall-message

Last edited by Maniaxx (2019-12-03 19:41:00)

seth · 2019-12-03 20:31:17

What about return polkit.Result.NO ? (maybe you've a hot auth for the action)

Maniaxx · 2019-12-03 21:47:50

Same effect. Does pkcheck -u -p $$ -a org.freedesktop.login1.reboot work for you (exit not 0)? Just to make sure.
I checked '/usr/share/polkit-1/actions/org.freedesktop.login1.policy' for integrity, looked up systemd rules, logind.conf and sysctl.d. Not sure where i could have changed it. Where is 'git status' when you need it...

I will try to find some debug functions for systemctl to report what it's doing exactly.

Trilby · 2019-12-03 22:42:01

Do you need polkit for something else?

Notwithstanding the claim that it is a dependency of virtual everything (it isn't), I've never had it on any of my systems.

Maniaxx · 2019-12-03 23:16:16

It has some dependencies. The depchain is even longer indeed.

Required By     : accountsservice  colord  cups-pk-helper  gconf  libvirt  mate-polkit  mate-settings-daemon
                  networkmanager  packagekit  polkit-gnome  polkit-qt5  rtkit  udisks2  xfce4-session

I can live with polkit. The question is rather why it doesn't work. I suspect systemd but 'systemctl reboot' is not really a service.

sabroad · 2019-12-04 11:08:41

Maniaxx wrote:

I've tried /etc/polkit-1/rules.d/10-admin-shutdown-reboot.rules from above and all rules work but the reboot one (wtf?!).

Do you have some sudo rule alternatively allowing this? eg.

%wheel ALL = NOPASSWD: /sbin/reboot

Trilby · 2019-12-04 12:51:25

sabroad, such a rule in sudoers would not magically allow the bare command to be run as a regular user, it would only allow it to be run with `sudo reboot` without prompting for a password.

Maniaxx · 2019-12-05 01:33:54

Maybe its not just me but a general bug. Please someone run this as normal user in shell:

pkcheck -u -p $$ -a org.freedesktop.login1.reboot; echo $?

If it throws '0' we are in the same boat.

Edit: Btw, the polkit rules above also disable 'shutdown' in my xfce startmenu (whiskermenu). Needs an exception or something if it might be useful one day.

Last edited by Maniaxx (2019-12-05 01:49:58)

sabroad · 2019-12-05 03:18:40

Trilby wrote:

such a rule in sudoers would not magically allow the bare command

Any program, including systemd, can magically use sudo NOPASSWD behind the scenes:

$ cat bin/systemd.py 
#!/usr/bin/env python3
import os
os.system('sudo reboot')

$ ln -sv systemd.py bin/reboot
'bin/reboot' -> 'systemd.py'

$ bin/reboot

Admittedly though, that's not the case here, as indicated by the difference in systemd behavior between halt and reboot.

sabroad · 2019-12-05 03:30:49

systemd has since added some authorizations that imply reboot, eg. logind: imply right to reboot when user has right to set reboot-to-fi…

For this reason, there are additional actions that need auth:

# cat /etc/polkit-1/rules.d/10-admin-shutdown-reboot.rules 
polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.login1.power-off" ||
        action.id == "org.freedesktop.login1.power-off-ignore-inhibit" ||
        action.id == "org.freedesktop.login1.power-off-multiple-sessions" ||
        action.id == "org.freedesktop.login1.set-reboot-parameter" ||
        action.id == "org.freedesktop.login1.set-reboot-to-firmware-setup" ||
        action.id == "org.freedesktop.login1.set-reboot-to-boot-loader-menu" ||
        action.id == "org.freedesktop.login1.set-reboot-to-boot-loader-entry" ||
        action.id == "org.freedesktop.login1.reboot" ||
        action.id == "org.freedesktop.login1.reboot-ignore-inhibit" ||
        action.id == "org.freedesktop.login1.reboot-multiple-sessions"
    ) {
        return polkit.Result.AUTH_SELF_KEEP;
    }
});

Last edited by sabroad (2019-12-05 03:34:38)

Maniaxx · 2019-12-05 21:10:11

Yes, that finally works. Thanks for that.
But as mentioned before it blocks the xfce4/whiskermenu as well. Any idea for an exception rule? I just want to have the shell blocked.

seth · 2019-12-05 21:58:14

Ok, back to

i want to protect myself accidentally invoking this command

In that case the most simple and straight forward approach is to shadow the command w/ a script that checks the UID before running the actual command, ie.
/usr/local/bin/reboot

#!/bin/sh
[ $UID = 0 ] && /bin/reboot

sabroad · 2019-12-05 23:59:32

Maniaxx wrote:

it blocks the xfce4/whiskermenu [...] I just want to have the shell blocked.

The default polkit rules will allow [xfce] user sessions to shutdown via D-Bus.

To prevent a command being executed, remove the execute bit:

# chmod o-x /usr/bin/systemctl

Can sudo to execute directly.

Last edited by sabroad (2019-12-06 00:06:48)

Trilby · 2019-12-06 00:50:19

Or just remove the `reboot` symlink and put it in "NoExtract" in pacman.conf. Or perhaps even better, just remove systemd-sysvcompat as the primary (perhaps only) function of this package is to provide the reboot|halt|poweroff and related "binaries" (all just symlinks).

Maniaxx · 2019-12-08 18:27:58

I think i'll go for the renamed 'reboot' binary as i don't want to break 'systemctl' in user/other context.

Thanks!

Arch Linux

#1 2019-12-03 02:33:52

[Solved] Disallow 'reboot' for non-root users

#2 2019-12-03 08:26:13

Re: [Solved] Disallow 'reboot' for non-root users

#3 2019-12-03 12:24:08

Re: [Solved] Disallow 'reboot' for non-root users

#4 2019-12-03 12:37:51

Re: [Solved] Disallow 'reboot' for non-root users

#5 2019-12-03 12:47:09

Re: [Solved] Disallow 'reboot' for non-root users

#6 2019-12-03 19:21:59

Re: [Solved] Disallow 'reboot' for non-root users

#7 2019-12-03 20:31:17

Re: [Solved] Disallow 'reboot' for non-root users

#8 2019-12-03 21:47:50

Re: [Solved] Disallow 'reboot' for non-root users

#9 2019-12-03 22:42:01

Re: [Solved] Disallow 'reboot' for non-root users

#10 2019-12-03 23:16:16

Re: [Solved] Disallow 'reboot' for non-root users

#11 2019-12-04 11:08:41

Re: [Solved] Disallow 'reboot' for non-root users

#12 2019-12-04 12:51:25

Re: [Solved] Disallow 'reboot' for non-root users

#13 2019-12-05 01:33:54

Re: [Solved] Disallow 'reboot' for non-root users

#14 2019-12-05 03:18:40

Re: [Solved] Disallow 'reboot' for non-root users

#15 2019-12-05 03:30:49

Re: [Solved] Disallow 'reboot' for non-root users

#16 2019-12-05 21:10:11

Re: [Solved] Disallow 'reboot' for non-root users

#17 2019-12-05 21:58:14

Re: [Solved] Disallow 'reboot' for non-root users

#18 2019-12-05 23:59:32

Re: [Solved] Disallow 'reboot' for non-root users

#19 2019-12-06 00:50:19

Re: [Solved] Disallow 'reboot' for non-root users

#20 2019-12-08 18:27:58

Re: [Solved] Disallow 'reboot' for non-root users

Board footer