[systemd-devel] systemctl reboot/halt with non-privilege user
Colin Guthrie
gmane at colin.guthr.ie
Wed Oct 28 11:59:55 UTC 2020
Hello,
An Liu wrote on 28/10/2020 11:40:
> Hi, folks,
>
> I used to type systemctl reboot with non-privileged users, and to my
> surprise, the system goes down for the reboot.
>
> I've tested in both debian and centos 7, they act the same, however,
> systemctl halt will prompt you to enter administrator password to continue.
>
> Is it default behavior by design? I dont think a non-privileged user
> could reboot the system as he/she wishes.
>
> btw, I'm in an HPC related domain, if this behavior of systemctl is
> allowed, every single user could reboot the whole cluster as they wish,
> it's a disaster.
It really depends on the policykit setup.
e.g. if the user is in the wheel group, they may have additional
privileges by virtue of that.
On my systems (centos 8 here) policykit will prompt for the root password:
[user at host ~]$ systemctl poweroff
==== AUTHENTICATING FOR org.freedesktop.login1.set-wall-message ====
Authentication is required to set a wall message
Authenticating as: root
Password:
I can't recall off hand, but if the user was in the wheel group, then I
think it would still prompt for a password, but would ask for the user
password.
These are via SSH, but policykit also has overrides for users logged in
locally. As these guys have physical access to the machine, they might
be allowed to do certain things, like reboot etc. as they have access to
the plug anyway, it's not really any additional security concern.
So, ultimately, my advice is to check your policykit setup and see what
the policy is.
Col
PS, I did spot an awesome security bug in an old redhat security tool a
few years back (I think it was called sectool) which installed a bogus
policy file which basically gave users full rights to things like
service management and reboot etc, so it's possible a rogue/buggy policy
file from an unrelated package is causing this behaviour too.
--
Colin Guthrie
gmane(at)colin.guthr.ie
https://colin.guthr.ie/
Day Job:
Tribalogic Limited https://www.tribalogic.net/
More information about the systemd-devel
mailing list