[systemd-devel] [210] logind bypasses polkit? bug or new feature?

Gerardo Exequiel Pozzi vmlinuz386 at yahoo.com.ar
Sun Mar 9 16:00:22 PDT 2014 

Hello

To do tests I made a new Arch Linux (x86_64) base installation running
in qemu/kvm with systemd-210-3 and polkit-0.112-1 to discard any weird
thing on my system.

I can reboot/poweroff/suspend/hibernate the system with a normal user
logged from a local VT or remote SSH does not care. I can not disable
this even with a set of polkit rules.
I am sure that this works fine before (maybe systemd-204 age?)

The weird thing here, is that If I ask to login1 about "Can*" methods it
returns 'no'. Also system can be rebooted or poweroff if other users are
logged on the system (i.e root on tty1).


I have another question: If polkit is not installed at all, what is
supposed to happens on these actions? Because I can reboot/poweroff/etc
by default, is this right?

Thanks in advance.


[djgera at host322 ~]$ loginctl show-user djgera
UID=1000
GID=1000
Name=djgera
Timestamp=Sun 2014-03-09 19:29:33 ART
TimestampMonotonic=16659804
RuntimePath=/run/user/1000
Service=user at 1000.service
Slice=user-1000.slice
State=active
IdleHint=no
IdleSinceHint=0
IdleSinceHintMonotonic=0
Linger=no

[djgera at host322 ~]$ loginctl show-session 1
Id=1
Name=djgera
Timestamp=Sun 2014-03-09 19:29:33 ART
TimestampMonotonic=16673677
VTNr=0
Remote=yes
RemoteHost=192.168.0.77
Service=sshd
Scope=session-1.scope
Leader=166
Audit=1
Type=tty
Class=user
Active=yes
State=active
IdleHint=no
IdleSinceHint=0
IdleSinceHintMonotonic=0

[djgera at host322 ~]$ gdbus call --system --dest org.freedesktop.login1
--object-path /org/freedesktop/login1 --method
org.freedesktop.login1.Manager.CanReboot
('no',)
[djgera at host322 ~]$ gdbus call --system --dest org.freedesktop.login1
--object-path /org/freedesktop/login1 --method
org.freedesktop.login1.Manager.Reboot true
()
Connection to 192.168.0.218 closed by remote host.
Connection to 192.168.0.218 closed.


[djgera at host322 ~]$ reboot
User root is logged in on tty1.
Please retry operation after closing inhibitors and logging out other users.
Alternatively, ignore inhibitors and users with 'systemctl reboot -i'.
[djgera at host322 ~]$ gdbus call --system --dest org.freedesktop.login1
--object-path /org/freedesktop/login1 --method
org.freedesktop.login1.Manager.Reboot true
()
Connection to 192.168.0.218 closed by remote host.
Connection to 192.168.0.218 closed.
[djgera at exequiel ~]$




-------------------------------------
/etc/polkit-1/rules.d/69-djgera.rules

polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.login1.power-off" ||
        action.id == "org.freedesktop.login1.power-off-ignore-inhibit" ||
        action.id == "org.freedesktop.login1.power-off-multiple-sessions" ||
        action.id == "org.freedesktop.login1.reboot" ||
        action.id == "org.freedesktop.login1.reboot-ignore-inhibit" ||
        action.id == "org.freedesktop.login1.reboot-multiple-sessions" ||
        action.id == "org.freedesktop.login1.hibernate" ||
        action.id == "org.freedesktop.login1.hibernate-ignore-inhibit" ||
        action.id == "org.freedesktop.login1.hibernate-multiple-sessions" ||
        action.id == "org.freedesktop.login1.suspend" ||
        action.id == "org.freedesktop.login1.suspend-ignore-inhibit" ||
        action.id == "org.freedesktop.login1.suspend-multiple-sessions") {
        return polkit.Result.NO;
    }
});
-------------------------------------

-- 
Gerardo Exequiel Pozzi
\cos^2\alpha + \sin^2\alpha = 1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 555 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20140309/80268459/attachment.pgp>

More information about the systemd-devel mailing list