Hello, In the Message; Subject : Re: How to Disable KDE User Halt and Reboot Buttons? Message-ID : <81eaaca9-ac60-4b80-a2ee-c2f8f023b06c@sweet-haven.com> Date & Time: Fri, 10 May 2024 16:57:10 -0700 [LW] == Lew Wolfgang has written: [...] MN> > Will a setting of needs_root_rights=no in /etc/X11/Xwrapper.config not MN> > work? LW> I don't have that filename in any of my systems, does it need to LW> be created? You within the xorg-x11-server related files not installed? This will help you; $ man Xwrapper.config Best Regards. --- ┏━━┓彡 野宮 賢 mail-to: nomiya @ lake.dti.ne.jp ┃＼／彡 ┗━━┛ "Maddox hopes that empowering users to pick their own algorithms will get them to think more about what’s involved in making them. " -- Bluesky's Custom Algorithms Could Be the Future of Social Media --

Hello, In the Message; Subject : Re: How to Disable KDE User Halt and Reboot Buttons? Message-ID : Date & Time: Fri, 10 May 2024 18:47:57 -0600 [DG] == Darryl Gregorash has written: DG> On 2024-05-10 18:28, Masaru Nomiya wrote: [...] MN> > You within the xorg-x11-server related files not installed? MN> > This will help you; DG> > $ man Xwrapper.config DG> No such manpage, and no such file anywhere on my system. Is it? On my Tumbleweed like this? $ rpm -qf /usr/share/man/man5/Xwrapper.config.5.gz xorg-x11-server-21.1.12-750.5.x86_64 Best Regards, --- ┏━━┓彡 Masaru Nomiya mail-to: nomiya @ lake.dti.ne.jp ┃＼／彡 ┗━━┛ "Microsoft is overhauling its cybersecurity strategy, called the Secure Future Initiative, to incorporate key security features into its core set of technology platforms and cloud services. " -- Microsoft overhauls cyber strategy to finally embrace security by default --

Hello, In the Message; Subject : Re: How to Disable KDE User Halt and Reboot Buttons? Message-ID : <74e46e88-052a-4e04-8218-eb2e7d90661f@sweet-haven.com> Date & Time: Fri, 10 May 2024 18:27:28 -0700 [LW] == Lew Wolfgang has written: [...] MN> > On my Tumbleweed like this? MN> > $ rpm -qf /usr/share/man/man5/Xwrapper.config.5.gz MN> > xorg-x11-server-21.1.12-750.5.x86_64 LW> Ah, my fault. LW> I'm working with Leap 15.5, which has LW> xorg-xll-server-21.1.4-150500.7.26.1.x86_64. You can't use Tumbleweed in business. LW> Xwrapper.config apparently isn't in that package. From Xwrapper.con man; DESCRIPTION The Xorg X server may need root rights to function properly. To start the Xorg X server with these rights your system is using a suid root wrapper installed as /usr/bin/Xorg.wrap which will execute the real X server which is installed as /usr/bin/Xorg. By default Xorg.wrap will autodetect if root rights are necessary, and if not it will drop its elevated rights before starting the real X server. By default Xorg.wrap will only allow executing the real X server from login sessions on a physical console. CONFIG FILE Xorg.wrap’s default behavior can be overridden from the /etc/X11/Xwrap‐ per.config config file. Lines starting with a # in Xwrapper.config are considered comments and will be ignored. Any other non empty lines must take the form of key = value. allowed_users = rootonly|console|anybody Specify which users may start the X server through the wrapper. Use rootonly to only allow root, use console to only allow users logged into a physical console, and use anybody to allow anybody. The default is console. needs_root_rights = yes|no|auto Configure if the wrapper should drop its elevated (root) rights before starting the X server. Use yes to force execution as root, no to force execution with all suid rights dropped, and auto to let the wrapper auto‐detect. The default is auto. When auto‐detecting the wrapper will drop rights if kms graphics are available and not drop them if no kms graphics are detected. If a sys‐ tem has multiple graphics cards and some are not kms capable auto‐de‐ tection may fail, in this case manual configuration should be used. SEE ALSO Xorg X server information: Xorg(1) Best Regards. --- ┏━━┓彡 Masaru Nomiya mail-to: nomiya @ lake.dti.ne.jp ┃＼／彡 ┗━━┛ "Loyalty cards are a symbol of "spending" not "saving"... I saved 20,000 yen a month when I stopped "act of collecting points"" -- Shihomi Shimomura --

On 2024-05-10 19:11, Masaru Nomiya wrote:

Hello,

In the Message;

Subject : Re: How to Disable KDE User Halt and Reboot Buttons? Message-ID : Date & Time: Fri, 10 May 2024 18:47:57 -0600

[DG] == Darryl Gregorash has written:

DG> On 2024-05-10 18:28, Masaru Nomiya wrote: [...] MN> > You within the xorg-x11-server related files not installed?

MN> > This will help you;

DG> > $ man Xwrapper.config

DG> No such manpage, and no such file anywhere on my system.

Is it?

On my Tumbleweed like this?

$ rpm -qf /usr/share/man/man5/Xwrapper.config.5.gz xorg-x11-server-21.1.12-750.5.x86_64

It's not in 21.1.11, which is what is on 15.6

Hello, In the Message; Subject : Re: How to Disable KDE User Halt and Reboot Buttons? Message-ID : <901e2d37-eb26-4a6c-9444-ec5cfc987f51@accesscomm.ca> Date & Time: Fri, 10 May 2024 20:37:47 -0600 [DG] == Darryl Gregorash has written: [...] MN> > On my Tumbleweed like this? MN> > $ rpm -qf /usr/share/man/man5/Xwrapper.config.5.gz MN> > xorg-x11-server-21.1.12-750.5.x86_64 DG> It's not in 21.1.11, which is what is on 15.6 Sorry for mistake. Indeed, leap 15.5 and leap 15.6 do not have the xorg-x11-server-wrapper package, which contains the key Xorg.wrap binary. It seems that leap uses the xrdp packages. How about these? $ man xrdp.ini and $ man sesman.ini Best Regards. --- ┏━━┓彡 Masaru Nomiya mail-to: nomiya @ lake.dti.ne.jp ┃＼／彡 ┗━━┛ "Distinguish between what is meaningful to me and what is meaningless, and forget what is meaningless to me. This is where individuality comes into play. This is a function that computer cannot perform." -- Shigehiko Toyama (in Japanes) --

On 11.05.2024 07:10, Lew Wolfgang wrote:

On 5/10/24 12:05, Lew Wolfgang wrote:

...

Hi Folks,

I've searched a bit but haven't found a satisfying answer to my issue.

The problem occurs when a non-root user connects to a server using xrdp.  This user then has full authorization to halt/reboot the server using the KDE halt or reboot buttons,  not exactly an ideal situation.

So how can I disable remote xrdp-connected users from rebooting or halting the server?  This would also stop users from rebooting/halting the server when directly sitting at the console, which may not exist anyway.

Thanks to those folks who commented on this question.

I found a partial solution after thinking about it a bit.  Having buttons that can sleep, hibernate, reboot, and halt the system available to the user sitting in front of the console of a desktop makes perfect sense.  The problem appears when a user connects to that desktop remotely.

I remembered that I used the "Desktop" pattern when installing the server software!  So I checked in yast2 under the Security Center and selected Network Server under the Preconfigured Security Configurations option.  That fixed the problem!  Either a window prompting for the root password appears, or the xrdp session closes.  The server continues to run as desired.

Network Server will use the "restrictive" profile of default polkit rules which always requires admin authentication to perform actions via logind. That is not what you wanted (only prevent actions in xrdp session). Default profile will allow reboot etc for locally logged in users. If users in xrdp session were not required to authenticate, it implies that xrdp session is considered local. Which is arguably wrong. The output of loginctl show-session N where N is session number for local and xrdp sessions would be interesting.

Having the buttons still there could be confusing to some users, but at least they can't crash the server.

Regards, Lew