On 5/11/24 04:38, Andrei Borzenkov wrote:
I remembered that I used the "Desktop" pattern when installing the server software! So I checked in yast2 under the Security Center and selected Network Server under the Preconfigured Security Configurations option. That fixed the problem! Either a window prompting for the root password appears, or the xrdp session closes. The server continues to run as desired.
Network Server will use the "restrictive" profile of default polkit rules which always requires admin authentication to perform actions via logind. That is not what you wanted (only prevent actions in xrdp session).
Default profile will allow reboot etc for locally logged in users. If users in xrdp session were not required to authenticate, it implies that xrdp session is considered local. Which is arguably wrong.
The output of
loginctl show-session N
where N is session number for local and xrdp sessions would be interesting.
This didn't seem to work, Andrei. I couldn't get the sessionid right. But that doesn't matter now, I messed up. Further testing shows that the remote xrdp sessions "don't" allow rebooting or halting of the host os. When we first started using xrdp at the start of The Covids an xrdp session could indeed reboot the host, and I never bothered to test it after that time. I didn't want to risk the possibility of crashing the remote servers. But it seems to work as expected now even with the Workstation security profile. xrdp with remmina still seems a bit odd, it's not allowing the user to logoff, but we can live with that. Also, there's a difference between the "Workstation" and "Network Server" security settings. With Workstation if the reboot button is pressed the Remmina screen goes black. The only way to wake it up is to restart the xrdp session on the server. But with Network Server selected the buttons freeze for about 20-seconds, then go away. The session then continues to be usable. So we're sticking with the Network Server profile unless it causes problems elsewhere. I'm testing all this on a new server that isn't in "production" yet. Sorry for all the noise, but at least it was educational. Regards, Lew