On 5/11/24 04:38, Andrei Borzenkov wrote:
I remembered that I used the "Desktop" pattern when installing
the server software!  So I checked in yast2 under the Security Center
and selected Network Server under the Preconfigured Security
Configurations option.  That fixed the problem!  Either a window prompting
for the root password appears, or the xrdp session closes.  The
server continues to run as desired.


Network Server will use the "restrictive" profile of default polkit rules which always requires admin authentication to perform actions via logind. That is not what you wanted (only prevent actions in xrdp session).

Default profile will allow reboot etc for locally logged in users. If users in xrdp session were not required to authenticate, it implies that xrdp session is considered local. Which is arguably wrong.

The output of

loginctl show-session N

where N is session number for local and xrdp sessions would be interesting.

This didn't seem to work, Andrei.  I couldn't get the sessionid right.

But that doesn't matter now, I messed up.

Further testing shows that the remote xrdp sessions "don't" allow rebooting
or halting of the host os.  When we first started using xrdp at the start of
The Covids an xrdp session could indeed reboot the host, and I never bothered
to test it after that time.  I didn't want to risk the possibility of crashing the
remote servers.  But it seems to work as expected now even with the
Workstation security profile.

xrdp with remmina still seems a bit odd, it's not allowing the user to logoff,
but we can live with that. 

Also, there's a difference between the "Workstation" and "Network Server"
security settings.  With Workstation if the reboot button is pressed the
Remmina screen goes black.  The only way to wake it up is to restart the
xrdp session on the server.  But with Network Server selected the buttons
freeze for about 20-seconds, then go away.  The session then continues to
be usable.  So we're sticking with the Network Server profile unless it
causes problems elsewhere.  I'm testing all this on a new server that
isn't in "production" yet.

Sorry for all the noise, but at least it was educational.

Regards,
Lew