[arch-general] systemctl reboot
Hi, as user I have the permission to run systemctl reboot _without_ sudo. $ groups wheel games video audio optical storage power users vboxusers rocketmouse $ sudo cat /etc/sudoers | grep -v "#" | grep " " root ALL=(ALL) ALL rocketmouse ALL=(ALL) ALL 1. How can I disable it? 2. Since I'm the only user I could live with it, but I anyway want to be ask for a password, before I run the command by a menu entry. Is anything speaking against running gksudo systemctl reboot ? Is anything speaking against running gksudo -u some_user reboot ? I don't think so, but I want to ensure that I don't miss something. Again, I can execute it successfully without gksudo, I want to add gksudo, because I want to be asked for the password. Regards, Ralf
You have most probably installed the polkit package. On 13 September 2014 16:13, Ralf Mardorf <ralf.mardorf@rocketmail.com> wrote:
Hi,
as user I have the permission to run systemctl reboot _without_ sudo.
$ groups wheel games video audio optical storage power users vboxusers rocketmouse
$ sudo cat /etc/sudoers | grep -v "#" | grep " " root ALL=(ALL) ALL rocketmouse ALL=(ALL) ALL
1. How can I disable it?
2. Since I'm the only user I could live with it, but I anyway want to be ask for a password, before I run the command by a menu entry.
Is anything speaking against running gksudo systemctl reboot ? Is anything speaking against running gksudo -u some_user reboot ?
I don't think so, but I want to ensure that I don't miss something.
Again, I can execute it successfully without gksudo, I want to add gksudo, because I want to be asked for the password.
Regards, Ralf
2014-09-13 11:13 GMT-03:00 Ralf Mardorf <ralf.mardorf@rocketmail.com>:
Hi,
as user I have the permission to run systemctl reboot _without_ sudo.
$ groups wheel games video audio optical storage power users vboxusers rocketmouse
$ sudo cat /etc/sudoers | grep -v "#" | grep " " root ALL=(ALL) ALL rocketmouse ALL=(ALL) ALL
1. How can I disable it?
2. Since I'm the only user I could live with it, but I anyway want to be ask for a password, before I run the command by a menu entry.
Is anything speaking against running gksudo systemctl reboot ? Is anything speaking against running gksudo -u some_user reboot ?
I don't think so, but I want to ensure that I don't miss something.
Again, I can execute it successfully without gksudo, I want to add gksudo, because I want to be asked for the password.
Regards, Ralf
I think this is because your current session is the only session running. In those situations systemctl power management commands don't ask for root/sudo password. Not sure how to disable though. If you had another session running (e.g. a VT) the commands would ask for root/sudo password. -- Mateus Rodrigues Costa
Systemd, of course, *would* ask for a password, if polkit (PolicyKit) weren't there. On 13 September 2014 17:30, Mateus Rodrigues Costa <charles.costar@gmail.com
wrote:
2014-09-13 11:13 GMT-03:00 Ralf Mardorf <ralf.mardorf@rocketmail.com>:
Hi,
as user I have the permission to run systemctl reboot _without_ sudo.
$ groups wheel games video audio optical storage power users vboxusers rocketmouse
$ sudo cat /etc/sudoers | grep -v "#" | grep " " root ALL=(ALL) ALL rocketmouse ALL=(ALL) ALL
1. How can I disable it?
2. Since I'm the only user I could live with it, but I anyway want to be ask for a password, before I run the command by a menu entry.
Is anything speaking against running gksudo systemctl reboot ? Is anything speaking against running gksudo -u some_user reboot ?
I don't think so, but I want to ensure that I don't miss something.
Again, I can execute it successfully without gksudo, I want to add gksudo, because I want to be asked for the password.
Regards, Ralf
I think this is because your current session is the only session running. In those situations systemctl power management commands don't ask for root/sudo password. Not sure how to disable though. If you had another session running (e.g. a VT) the commands would ask for root/sudo password.
-- Mateus Rodrigues Costa
2014-09-13 12:42 GMT-03:00 Neven Sajko <nsajko@gmail.com>:
Systemd, of course, *would* ask for a password, if polkit (PolicyKit) weren't there.
Ah, thanks for pointing that. Anyway, is disabling the service enough or does he need to uninstall the package completely? I see that on my system polkit is a dependency for some packages, so it might not be easy/recommended to simply uninstall it. $ groups
wheel games video audio optical storage power users vboxusers rocketmouse
Btw, I think systemd takes care of (and "replaces") some of these groups and you don't need (and in some cases shouldn't) add your user to them unless really needed. You should take a look at the Groups page at the wiki about that. $ sudo cat /etc/sudoers | grep -v "#" | grep " "
root ALL=(ALL) ALL rocketmouse ALL=(ALL) ALL
Sorry for this one but, any reason you thought that you should create a custom group instead of using the wheel group? Also, if you are using that custom group for sudo, why is your user both in that group and wheel? -- Mateus Rodrigues Costa
On Sat, 2014-09-13 at 13:33 -0300, Mateus Rodrigues Costa wrote:
2014-09-13 12:42 GMT-03:00 Neven Sajko <nsajko@gmail.com>:
Systemd, of course, *would* ask for a password, if polkit (PolicyKit) weren't there.
Ah, thanks for pointing that. Anyway, is disabling the service enough or does he need to uninstall the package completely? I see that on my system polkit is a dependency for some packages, so it might not be easy/recommended to simply uninstall it.
A good question :), resp. when do I need it and when don't I need it? I have to read a little bit.
$ groups
wheel games video audio optical storage power users vboxusers rocketmouse
Btw, I think systemd takes care of (and "replaces") some of these groups and you don't need (and in some cases shouldn't) add your user to them unless really needed. You should take a look at the Groups page at the wiki about that.
I will do this.
$ sudo cat /etc/sudoers | grep -v "#" | grep " "
root ALL=(ALL) ALL rocketmouse ALL=(ALL) ALL
Sorry for this one but, any reason you thought that you should create a custom group instead of using the wheel group? Also, if you are using that custom group for sudo, why is your user both in that group and wheel?
Thank you, I'll read about this too. Regards, Ralf
On Sat, Sep 13, 2014 at 01:33:17PM -0300, Mateus Rodrigues Costa wrote:
2014-09-13 12:42 GMT-03:00 Neven Sajko <nsajko@gmail.com>:
Systemd, of course, *would* ask for a password, if polkit (PolicyKit) weren't there.
Ah, thanks for pointing that. Anyway, is disabling the service enough or does he need to uninstall the package completely? I see that on my system polkit is a dependency for some packages, so it might not be easy/recommended to simply uninstall it.
I don't know why people suggest disabling polkit when polkit itself allows you to change this stuff to your hearts content. It is extensively documented in the Wiki: https://wiki.archlinux.org/index.php/polkit#Actions "...here are a few commonly used groups of actions: systemd-logind (org.freedesktop.login1.policy) actions regulated by polkit include powering off, rebooting, suspending and hibernating the system, including when other users may still be logged in..." "For each of these settings the following options are available: ... auth_self: Authentication is required but the user need not be an administrative user. auth_admin: Authentication as an administrative user is require. auth_self_keep: The same as auth_self but, like sudo, the authorization lasts a few minutes. auth_admin_keep: The same as auth_admin but, like sudo, the authorization lasts a few minutes...."
On Sat, 2014-09-13 at 17:42 +0200, Neven Sajko wrote:
On 13 September 2014 17:30, Mateus Rodrigues Costa <charles.costar@gmail.com
wrote: I think this is because your current session is the only session running. In those situations systemctl power management commands don't ask for root/sudo password. Not sure how to disable though. If you had another session running (e.g. a VT) the commands would ask for root/sudo password.
Correct, if I run a second session no reboot happens: $ systemctl reboot User chuser is logged in on tty2. Please retry operation after closing inhibitors and logging out other users. Alternatively, ignore inhibitors and users with 'systemctl reboot -i'. _But_ systemctl reboot -i does work with 2 sessions running by different users.
Systemd, of course, *would* ask for a password, if polkit (PolicyKit) weren't there.
And yes, polkit is installed: $ pacman -Q polkit polkit 0.112-2 Since I also want to be ask for a password before screen locking or a logout, I guess I'll use this or a similar scrip for fbpanel menu entries: $ cat /usr/local/bin/obexit #!/bin/dash # /usr/local/bin/obexit obexit_version=2014.09.13 case $1 in .lock) sudo -k echo if [ "$?" = "0" ]; then xflock4; fi;; .logout) sudo -k echo if [ "$?" = "0" ]; then /usr/lib/fbpanel/xlogout; fi;; -o|--logout) roxterm -T "Log Out" -e obexit .logout;; -l|--lock) roxterm -T "Lock Screen" -e obexit .lock;; -r|--restart) roxterm -T "Restart" -e sudo -k shutdown -r now;; -s|--shutdown) roxterm -T "Shut Down" -e sudo -k shutdown -h now;; -a|--about) echo "$0 $obexit_version Rocketmouse";; -v|--version) echo "$obexit_version";; *) echo Usage: obexit [OPTION] echo ".lock xflock4 Lock Screen" echo ".logout fbpanel Log Out" echo "-o, --logout Term Log Out" echo "-l, --lock Term Lock Screen" echo "-r, --restart Term Restart" echo "-s, --shutdown Term Shut Down" echo "-a, --about About" echo "-v, --version Version" ;; esac JFTR a user can run shutdown -r now too. Regards, Ralf
participants (4)
-
aakempf@gmail.com
-
Mateus Rodrigues Costa
-
Neven Sajko
-
Ralf Mardorf