[Bug 856773] New: User is asked for root's password to hibernate, but not for shutdown or reboot.
https://bugzilla.novell.com/show_bug.cgi?id=856773 https://bugzilla.novell.com/show_bug.cgi?id=856773#c0 Summary: User is asked for root's password to hibernate, but not for shutdown or reboot. Classification: openSUSE Product: openSUSE 13.1 Version: Final Platform: x86-64 OS/Version: openSUSE 13.1 Status: NEW Severity: Major Priority: P5 - None Component: Usability AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: carlos.e.r@opensuse.org QAContact: qa-bugs@suse.de Found By: --- Blocker: --- Created an attachment (id=572909) --> (http://bugzilla.novell.com/attachment.cgi?id=572909) Photo of situation Situation: Freshly installed 13.1 system, XFCE desktop. On request to hibernate from menu, the user is asked for the root's password, but this is presented behind another dialog window, and can not be moved - see attached photo -. User has to blindly type the password hoping it goes to the right place. The situation is absurd for other reasons: the user is in front of the machine, so he can just pull the plug. The seated user should have the privilege to do certain things, as he has to mount devices and such. Further, the user is not asked for permission to power off the machine or reboot it. At worst, if this is a decision to implement this as a security policy, it should be consistent behaviour on halt, reboot, and hibernate; and it should be adjustable in YaST, at least a variable in the /etc/sysconfig directory: ask no permission, ask for root's password, ask for user's password. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=856773
https://bugzilla.novell.com/show_bug.cgi?id=856773#c
Xiyuan Liu
https://bugzilla.novell.com/show_bug.cgi?id=856773
https://bugzilla.novell.com/show_bug.cgi?id=856773#c1
Guido Berhörster
https://bugzilla.novell.com/show_bug.cgi?id=856773
https://bugzilla.novell.com/show_bug.cgi?id=856773#c2
Carlos Robinson
https://bugzilla.novell.com/show_bug.cgi?id=856773
https://bugzilla.novell.com/show_bug.cgi?id=856773#c3
Guido Berhörster
There are, of course, other users logged in on the same seat, MIND: the same seat.
But I want the root cause of this investigated, the decision to ask for root authorization at all, when it is not asked for powering down the machine or rebooting it. The policy is inconsistent.
Thus I have reported against usability, not XFCE.
The "root cause" are the policykit defaults defined in /etc/polkit-default-privs.standard: org.freedesktop.login1.power-off-multiple-sessions auth_admin_keep:auth_admin_keep:yes [...] org.freedesktop.login1.reboot-multiple-sessions auth_admin_keep:auth_admin_keep:yes [...] org.freedesktop.login1.hibernate-multiple-sessions auth_admin_keep So reassigning this to the polkit-default-privs bugowner.
There is also the problem that the password prompt goes behind another dialog despite being modal.
That is an entirely different issue and probably requires some reworking of the logout dialog of xfce4-session, please file a bug upstream against xfce4-session at https://bugzilla.xfce.org/enter_bug.cgi?product=Xfce4-session and attach the screenshot. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=856773
https://bugzilla.novell.com/show_bug.cgi?id=856773#c4
Carlos Robinson
(In reply to comment #2)
So reassigning this to the polkit-default-privs bugowner.
Thanks.
That is an entirely different issue and probably requires some reworking of the logout dialog of xfce4-session, please file a bug upstream against xfce4-session at https://bugzilla.xfce.org/enter_bug.cgi?product=Xfce4-session and attach the screenshot.
Done. https://bugzilla.xfce.org/show_bug.cgi?id=10581 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=856773
https://bugzilla.novell.com/show_bug.cgi?id=856773#c5
Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=856773
https://bugzilla.novell.com/show_bug.cgi?id=856773#c6
--- Comment #6 from Guido Berhörster
please run
loginctl list-sessions
if there are multiple users at seat0 this privilege is meant to avoid users killing other users sessions.
Carlos already said that that is the case and was asking about the inconsistency between shutdown/reboot being allowed from the active session while suspend/hibernate requires admin authentication: (In reply to comment #3)
The "root cause" are the policykit defaults defined in /etc/polkit-default-privs.standard:
org.freedesktop.login1.power-off-multiple-sessions auth_admin_keep:auth_admin_keep:yes [...] org.freedesktop.login1.reboot-multiple-sessions auth_admin_keep:auth_admin_keep:yes [...] org.freedesktop.login1.hibernate-multiple-sessions auth_admin_keep
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=856773
https://bugzilla.novell.com/show_bug.cgi?id=856773#c7
--- Comment #7 from Carlos Robinson
(In reply to comment #5)
please run
loginctl list-sessions
if there are multiple users at seat0 this privilege is meant to avoid users killing other users sessions.
Carlos already said that that is the case and was asking about the inconsistency between shutdown/reboot being allowed from the active session while suspend/hibernate requires admin authentication:
Correct, that's the point. I have a root session on tty1, which is also me, of course. IMO, there is no point in asking for root's password to hibernate and not to power off. Besides, the user can pull the cable and batteries. It is also very inconvenient not to be able to hibernate if the machine is a laptop, or it is an emergency like low battery power (laptops and desktops on UPS). The dangerous operation is halt, not hibernate. Hibernate preserves processes. This situation is similar to users not being able to setup printers, as Mr Linus pointed out some time ago. At worst, this should be easily configurable in YaST, so that we have an easy choice to impose strict policies or not. Suggest "strict, local user only, relaxed". Thanks. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=856773
https://bugzilla.novell.com/show_bug.cgi?id=856773#c8
--- Comment #8 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=856773
https://bugzilla.novell.com/show_bug.cgi?id=856773#c9
--- Comment #9 from Carlos Robinson
participants (1)
-
bugzilla_noreply@novell.com