You are not logged in.

#1 2019-12-03 02:33:52

Maniaxx
Member
From: .de
Registered: 2014-05-14
Posts: 288

[Solved] Disallow 'reboot' for non-root users

I want to prevent 'reboot' (and 'shutdown') for non-root users (should be 'sudo' only). Or in other words, i want to protect myself accidentally invoking this command. The wiki explains only the opposite: How to allow non-root users. I have to admit i can't remember anymore if i once enabled something like this before indeed (for whatever reason). If so, i cannot find the place anymore. There's nothing in 'sudoers' and my groups are 6(disk),10(wheel),92(audio),93(optical),95(storage),108(vboxusers),150(wireshark),983(realtime),986(libvirt),989(samba),1002(wine),1004(lxd).
I use xfce with startx.

Any ideas?
Is it default behavior in Arch that non-root users can 'reboot' by shell?

Last edited by Maniaxx (2019-12-08 18:28:35)


sys2064

Offline

#2 2019-12-03 08:26:13

seth
Member
Registered: 2012-09-03
Posts: 13,136

Re: [Solved] Disallow 'reboot' for non-root users

It's the default w/ systemd an non-broken sessions - https://wiki.archlinux.org/index.php/Al … emd-logind
=> /usr/share/polkit-1/actions/org.freedesktop.login1.policy

Offline

#3 2019-12-03 12:24:08

sabroad
Member
Registered: 2015-05-24
Posts: 80

Re: [Solved] Disallow 'reboot' for non-root users

Maniaxx wrote:

i want to protect myself accidentally invoking this command

See [solved] How to enable password request for restart and shutdown?

# cat /etc/polkit-1/rules.d/10-admin-shutdown-reboot.rules 
polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.login1.power-off" ||
        action.id == "org.freedesktop.login1.power-off-ignore-inhibit" ||
        action.id == "org.freedesktop.login1.power-off-multiple-sessions" ||
        action.id == "org.freedesktop.login1.reboot" ||
        action.id == "org.freedesktop.login1.reboot-ignore-inhibit" ||
        action.id == "org.freedesktop.login1.reboot-multiple-sessions"
    ) {
        return polkit.Result.AUTH_SELF_KEEP;
    }
});

Alternatively

return polkit.Result.NO

to flat out deny, but prompting for password should be sufficient to avoid accidental use (whilst retaining convenience).


--
saint_abroad

Offline

#4 2019-12-03 12:37:51

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 22,409
Website

Re: [Solved] Disallow 'reboot' for non-root users

seth wrote:

It's the default w/ systemd an non-broken sessions

No it isn't.  The default is for regular users to not be able to issue these commands.  Even according to the link you posted, if you want to change this behavior to allow users to run these commands, you should install polkit (which is not part of a "default" or base install).

If you previously installed polkit to acheive this behavior and do not want it, remove polkit.

Last edited by Trilby (2019-12-03 12:45:44)


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#5 2019-12-03 12:47:09

seth
Member
Registered: 2012-09-03
Posts: 13,136

Re: [Solved] Disallow 'reboot' for non-root users

which is not part of a "default" or base instal

True, but it's a dep for among others udisks2 and an optional dep for systemd and to be found on every non-minimal environment.
I'll concede that "default" is highly subjective in this context and up for interpretation here, though.

Offline

#6 2019-12-03 19:21:59

Maniaxx
Member
From: .de
Registered: 2014-05-14
Posts: 288

Re: [Solved] Disallow 'reboot' for non-root users

I've tried /etc/polkit-1/rules.d/10-admin-shutdown-reboot.rules from above and all rules work but the reboot one (wtf?!).

pkcheck -u -p $$ -a org.freedesktop.login1.reboot

This gives exit 0. All other rules give exit 3 and get denied successfully.

I couldn't find the culprit yet.

Ideas?

$ pkaction -v -a org.freedesktop.login1.reboot
org.freedesktop.login1.reboot:
  description:       Reboot the system
  message:           Authentication is required for rebooting the system.
  vendor:            The systemd Project
  vendor_url:        http://www.freedesktop.org/wiki/Software/systemd
  icon:              
  implicit any:      auth_admin_keep
  implicit inactive: auth_admin_keep
  implicit active:   yes
  annotation:        org.freedesktop.policykit.imply -> org.freedesktop.login1.set-wall-message

Last edited by Maniaxx (2019-12-03 19:41:00)


sys2064

Offline

#7 2019-12-03 20:31:17

seth
Member
Registered: 2012-09-03
Posts: 13,136

Re: [Solved] Disallow 'reboot' for non-root users

What about return polkit.Result.NO ? (maybe you've a hot auth for the action)

Offline

#8 2019-12-03 21:47:50

Maniaxx
Member
From: .de
Registered: 2014-05-14
Posts: 288

Re: [Solved] Disallow 'reboot' for non-root users

Same effect. Does pkcheck -u -p $$ -a org.freedesktop.login1.reboot work for you (exit not 0)? Just to make sure.
I checked '/usr/share/polkit-1/actions/org.freedesktop.login1.policy' for integrity, looked up systemd rules, logind.conf and sysctl.d. Not sure where i could have changed it. Where is 'git status' when you need it...

I will try to find some debug functions for systemctl to report what it's doing exactly.


sys2064

Offline

#9 2019-12-03 22:42:01

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 22,409
Website

Re: [Solved] Disallow 'reboot' for non-root users

Do you need polkit for something else?

Notwithstanding the claim that it is a dependency of virtual everything (it isn't), I've never had it on any of my systems.


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#10 2019-12-03 23:16:16

Maniaxx
Member
From: .de
Registered: 2014-05-14
Posts: 288

Re: [Solved] Disallow 'reboot' for non-root users

It has some dependencies. The depchain is even longer indeed.

Required By     : accountsservice  colord  cups-pk-helper  gconf  libvirt  mate-polkit  mate-settings-daemon
                  networkmanager  packagekit  polkit-gnome  polkit-qt5  rtkit  udisks2  xfce4-session

I can live with polkit. The question is rather why it doesn't work. I suspect systemd but 'systemctl reboot' is not really a service.


sys2064

Offline

#11 2019-12-04 11:08:41

sabroad
Member
Registered: 2015-05-24
Posts: 80

Re: [Solved] Disallow 'reboot' for non-root users

Maniaxx wrote:

I've tried /etc/polkit-1/rules.d/10-admin-shutdown-reboot.rules from above and all rules work but the reboot one (wtf?!).

Do you have some sudo rule alternatively allowing this? eg.

%wheel ALL = NOPASSWD: /sbin/reboot

--
saint_abroad

Offline

#12 2019-12-04 12:51:25

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 22,409
Website

Re: [Solved] Disallow 'reboot' for non-root users

sabroad, such a rule in sudoers would not magically allow the bare command to be run as a regular user, it would only allow it to be run with `sudo reboot` without prompting for a password.


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#13 2019-12-05 01:33:54

Maniaxx
Member
From: .de
Registered: 2014-05-14
Posts: 288

Re: [Solved] Disallow 'reboot' for non-root users

Maybe its not just me but a general bug. Please someone run this as normal user in shell:

pkcheck -u -p $$ -a org.freedesktop.login1.reboot; echo $?

If it throws '0' we are in the same boat.

Edit: Btw, the polkit rules above also disable 'shutdown' in my xfce startmenu (whiskermenu). Needs an exception or something if it might be useful one day.

Last edited by Maniaxx (2019-12-05 01:49:58)


sys2064

Offline

#14 2019-12-05 03:18:40

sabroad
Member
Registered: 2015-05-24
Posts: 80

Re: [Solved] Disallow 'reboot' for non-root users

Trilby wrote:

such a rule in sudoers would not magically allow the bare command

Any program, including systemd, can magically use sudo NOPASSWD behind the scenes:

$ cat bin/systemd.py 
#!/usr/bin/env python3
import os
os.system('sudo reboot')

$ ln -sv systemd.py bin/reboot
'bin/reboot' -> 'systemd.py'

$ bin/reboot

Admittedly though, that's not the case here, as indicated by the difference in systemd behavior between halt and reboot.


--
saint_abroad

Offline

#15 2019-12-05 03:30:49

sabroad
Member
Registered: 2015-05-24
Posts: 80

Re: [Solved] Disallow 'reboot' for non-root users

systemd has since added some authorizations that imply reboot, eg. logind: imply right to reboot when user has right to set reboot-to-fi…

For this reason, there are additional actions that need auth:

# cat /etc/polkit-1/rules.d/10-admin-shutdown-reboot.rules 
polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.login1.power-off" ||
        action.id == "org.freedesktop.login1.power-off-ignore-inhibit" ||
        action.id == "org.freedesktop.login1.power-off-multiple-sessions" ||
        action.id == "org.freedesktop.login1.set-reboot-parameter" ||
        action.id == "org.freedesktop.login1.set-reboot-to-firmware-setup" ||
        action.id == "org.freedesktop.login1.set-reboot-to-boot-loader-menu" ||
        action.id == "org.freedesktop.login1.set-reboot-to-boot-loader-entry" ||
        action.id == "org.freedesktop.login1.reboot" ||
        action.id == "org.freedesktop.login1.reboot-ignore-inhibit" ||
        action.id == "org.freedesktop.login1.reboot-multiple-sessions"
    ) {
        return polkit.Result.AUTH_SELF_KEEP;
    }
});

Last edited by sabroad (2019-12-05 03:34:38)


--
saint_abroad

Offline

#16 2019-12-05 21:10:11

Maniaxx
Member
From: .de
Registered: 2014-05-14
Posts: 288

Re: [Solved] Disallow 'reboot' for non-root users

Yes, that finally works. Thanks for that.
But as mentioned before it blocks the xfce4/whiskermenu as well. Any idea for an exception rule? I just want to have the shell blocked.


sys2064

Offline

#17 2019-12-05 21:58:14

seth
Member
Registered: 2012-09-03
Posts: 13,136

Re: [Solved] Disallow 'reboot' for non-root users

Ok, back to

i want to protect myself accidentally invoking this command

In that case the most simple and straight forward approach is to shadow the command w/ a script that checks the UID before running the actual command, ie.
/usr/local/bin/reboot

#!/bin/sh
[ $UID = 0 ] && /bin/reboot

Offline

#18 2019-12-05 23:59:32

sabroad
Member
Registered: 2015-05-24
Posts: 80

Re: [Solved] Disallow 'reboot' for non-root users

Maniaxx wrote:

it blocks the xfce4/whiskermenu [...] I just want to have the shell blocked.

The default polkit rules will allow [xfce] user sessions to shutdown via D-Bus.

To prevent a command being executed, remove the execute bit:

# chmod o-x /usr/bin/systemctl

Can sudo to execute directly.

Last edited by sabroad (2019-12-06 00:06:48)


--
saint_abroad

Offline

#19 2019-12-06 00:50:19

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 22,409
Website

Re: [Solved] Disallow 'reboot' for non-root users

Or just remove the `reboot` symlink and put it in "NoExtract" in pacman.conf.  Or perhaps even better, just remove systemd-sysvcompat as the primary (perhaps only) function of this package is to provide the reboot|halt|poweroff and related "binaries" (all just symlinks).


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#20 2019-12-08 18:27:58

Maniaxx
Member
From: .de
Registered: 2014-05-14
Posts: 288

Re: [Solved] Disallow 'reboot' for non-root users

I think i'll go for the renamed 'reboot' binary as i don't want to break 'systemctl' in user/other context.

Thanks!


sys2064

Offline

Board footer

Powered by FluxBB