Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Prevent normal users from power actions
35 views
Skip to first unread message
Christoph Pleger
Sep 29, 2022, 9:10:06 AM9/29/22
to
Hello,
I have been using this for quite a while to prevent normal users from
suspending, hibernating, shutting down or rebooting the computer from
their desktop session:
/etc/polkit-1/localauthority/50-local.d/custom-menu
[Disable suspend]
Identity=unix-user:*
Action=org.freedesktop.login1.suspend;org.freedesktop.login1.suspend-
multiple-sessions
ResultAny=auth_admin_keep
ResultInactive=auth_admin_keep
ResultActive=auth_admin_keep
[Disable hibernate]
Identity=unix-user:*
Action=org.freedesktop.login1.hibernate;org.freedesktop.login1.hibernat
e-multiple-sessions
ResultAny=auth_admin_keep
ResultInactive=auth_admin_keep
ResultActive=auth_admin_keep
[Disable shutdown]
Identity=unix-user:*
Action=org.freedesktop.login1.power-off;org.freedesktop.login1.power-
off-multiple-sessions
ResultAny=auth_admin_keep
ResultInactive=auth_admin_keep
ResultActive=auth_admin_keep
[Disable reboot]
Identity=unix-user:*
Action=org.freedesktop.login1.reboot;org.freedesktop.login1.reboot-
multiple-sessions
ResultAny=auth_admin_keep
ResultInactive=auth_admin_keep
ResultActive=auth_admin_keep
But I just realized that this does not work anymore in Debian 11. That
is, hibernating and suspending still require the user to enter the root
password, but rebooting and powering off work without authentication.
Why is this the case and what do I have to do to get again what I want?
I have tried from GNOME and KDE.
Regards
Christoph
I have been using this for quite a while to prevent normal users from
suspending, hibernating, shutting down or rebooting the computer from
their desktop session:
/etc/polkit-1/localauthority/50-local.d/custom-menu
[Disable suspend]
Identity=unix-user:*
Action=org.freedesktop.login1.suspend;org.freedesktop.login1.suspend-
multiple-sessions
ResultAny=auth_admin_keep
ResultInactive=auth_admin_keep
ResultActive=auth_admin_keep
[Disable hibernate]
Identity=unix-user:*
Action=org.freedesktop.login1.hibernate;org.freedesktop.login1.hibernat
e-multiple-sessions
ResultAny=auth_admin_keep
ResultInactive=auth_admin_keep
ResultActive=auth_admin_keep
[Disable shutdown]
Identity=unix-user:*
Action=org.freedesktop.login1.power-off;org.freedesktop.login1.power-
off-multiple-sessions
ResultAny=auth_admin_keep
ResultInactive=auth_admin_keep
ResultActive=auth_admin_keep
[Disable reboot]
Identity=unix-user:*
Action=org.freedesktop.login1.reboot;org.freedesktop.login1.reboot-
multiple-sessions
ResultAny=auth_admin_keep
ResultInactive=auth_admin_keep
ResultActive=auth_admin_keep
But I just realized that this does not work anymore in Debian 11. That
is, hibernating and suspending still require the user to enter the root
password, but rebooting and powering off work without authentication.
Why is this the case and what do I have to do to get again what I want?
I have tried from GNOME and KDE.
Regards
Christoph
Christoph Pleger
Sep 29, 2022, 11:30:06 AM9/29/22
to
> Hallo,
> But I just realized that this does not work anymore in Debian 11. That
> is, hibernating and suspending still require the user to enter the root
> password, but rebooting and powering off work without authentication.
> Why is this the case and what do I have to do to get again what I want?
If I enter the following:
pkaction -v -a org.freedesktop.login1.reboot
it tells me that authentication is necessary to reboot. Is there maybe
something else than org.freedesktop.login1.reboot that allows the
reboot, though org.freedesktop.login1.reboot denies it?
Regards
Christoph
> But I just realized that this does not work anymore in Debian 11. That
> is, hibernating and suspending still require the user to enter the root
> password, but rebooting and powering off work without authentication.
> Why is this the case and what do I have to do to get again what I want?
pkaction -v -a org.freedesktop.login1.reboot
it tells me that authentication is necessary to reboot. Is there maybe
something else than org.freedesktop.login1.reboot that allows the
reboot, though org.freedesktop.login1.reboot denies it?
Regards
Christoph
David Wright
Sep 29, 2022, 12:30:05 PM9/29/22
to
shutdown the system, and whether this applies only when seated at
a console or even to all users (for those of us who reboot with
CtrlAltDel and shutdown by touching the physical power button).
Cheers,
David.
Christoph Pleger
Sep 29, 2022, 1:00:06 PM9/29/22
to
Hello,
> I suppose it might be worth mentioning how your users reboot or
> shutdown the system, and whether this applies only when seated at
> a console or even to all users (for those of us who reboot with
> CtrlAltDel and shutdown by touching the physical power button).
When a user has started a graphical user session, like GNOME, KDE etc.,
there are several options to end or pause the session (without pressing
the power button or Ctrl-Alt-Del): Log out, Shutdown, Reboot, Suspend,
Hibernate, and maybe others. What I want is to require the user to
enter the root password in order to reboot or shutdown (and of course I
know that it is possible to shutdown or reboot the hard way).
Regards
Christoph
> I suppose it might be worth mentioning how your users reboot or
> shutdown the system, and whether this applies only when seated at
> a console or even to all users (for those of us who reboot with
> CtrlAltDel and shutdown by touching the physical power button).
there are several options to end or pause the session (without pressing
the power button or Ctrl-Alt-Del): Log out, Shutdown, Reboot, Suspend,
Hibernate, and maybe others. What I want is to require the user to
enter the root password in order to reboot or shutdown (and of course I
know that it is possible to shutdown or reboot the hard way).
Regards
Christoph
Brian
Sep 29, 2022, 4:00:06 PM9/29/22
to
can always reboot or shutdown. Your requirement to provede a root
password seems excessive. Are you hoping users will not notice
where the ON/OFF button is?
--
Brian.
David Wright
Sep 30, 2022, 12:40:06 AM9/30/22
to
On Thu 29 Sep 2022 at 18:55:03 (+0200), Christoph Pleger wrote:
> > I suppose it might be worth mentioning how your users reboot or
> > shutdown the system, and whether this applies only when seated at
> > a console or even to all users (for those of us who reboot with
> > CtrlAltDel and shutdown by touching the physical power button).
>
> When a user has started a graphical user session, like GNOME, KDE etc.,
> there are several options to end or pause the session (without pressing
> the power button or Ctrl-Alt-Del): Log out, Shutdown, Reboot, Suspend,
> Hibernate, and maybe others. What I want is to require the user to
> enter the root password in order to reboot or shutdown
Perhaps the answer lies in /etc/systemd/logind.conf with its array of
> > I suppose it might be worth mentioning how your users reboot or
> > shutdown the system, and whether this applies only when seated at
> > a console or even to all users (for those of us who reboot with
> > CtrlAltDel and shutdown by touching the physical power button).
>
> When a user has started a graphical user session, like GNOME, KDE etc.,
> there are several options to end or pause the session (without pressing
> the power button or Ctrl-Alt-Del): Log out, Shutdown, Reboot, Suspend,
> Hibernate, and maybe others. What I want is to require the user to
> enter the root password in order to reboot or shutdown
Handle*= and *IgnoreInhibited= settings.
> (and of course I
> know that it is possible to shutdown or reboot the hard way).
ways, as opposed to the Reset button (typical on 20th century PCs),
holding down the Power button, or just cutting the power. (I always
used to disconnect the Reset button from the mobo, first thing after
I acquired any PC.)
Cheers,
David.
0 new messages