[Bug 1010779] New: setting rules via polkit-default-privs.local has no effect
http://bugzilla.suse.com/show_bug.cgi?id=1010779 Bug ID: 1010779 Summary: setting rules via polkit-default-privs.local has no effect Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: wagner-thomas@gmx.at QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- I intended to set up a system based on Leap 42.2 where users are not allowed to shutdown/reboot the machine. According to the documentation point 9.4.3 from [1], I added the following lines to /etc/polkit-default-privs.local <snip> org.freedesktop.login1.power-off no org.freedesktop.login1.reboot no <snap> Then I issued the following command to update the rules: # sudo /sbin/set_polkit_default_privs However, users can still use systemctl to reboot or shutdown. The rule doesn't seem to be applied. # pkaction -v -a org.freedesktop.login1.reboot org.freedesktop.login1.reboot: description: Reboot the system message: Authentication is required for rebooting the system. vendor: The systemd Project vendor_url: http://www.freedesktop.org/wiki/Software/systemd icon: implicit any: auth_admin_keep implicit inactive: auth_admin_keep implicit active: yes annotation: org.freedesktop.policykit.imply -> org.freedesktop.login1.set-wall-message Is this a bug of polkit or the documentation? [1] https://doc.opensuse.org/documentation/leap/security/html/book.security/cha.... -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1010779
http://bugzilla.suse.com/show_bug.cgi?id=1010779#c3
Marcus Meissner
Your output of pkaction is normal AFAIK. Apparently it doesn't evaluate the javascript rules in /etc/polkit-1/rules.d/, but only takes its information from /usr/share/polkit/actions (i.e. the defaults). Ok, then the documentation section 9.4.3 is IMHO misleading, since it suggests
http://bugzilla.suse.com/show_bug.cgi?id=1010779
http://bugzilla.suse.com/show_bug.cgi?id=1010779#c4
Thomas Wagner
@Thomas Wagner: can you confirm that adding these lines to polkit-default-privs.local as well (and running /sbin/set_polkit_default_privs afterwards) works for you too?
org.freedesktop.login1.reboot-multiple-sessions no org.freedesktop.login1.power-off-multiple-sessions no Can confirm, having all four lines in place will prevent a user from shutdown/reboot on Leap 42.2.
-- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com