[systemd-devel] systemctl reboot/halt with non-privilege user

Mantas Mikulėnas grawity at gmail.com
Wed Oct 28 12:11:07 UTC 2020


On Wed, Oct 28, 2020, 13:40 An Liu <sourceonly at gmail.com> wrote:

> Hi, folks,
>
> I used to type systemctl reboot with non-privileged users, and to my
> surprise, the system goes down for the reboot.
>
> I've tested in both debian and centos 7, they act the same, however,
> systemctl halt will prompt you to enter administrator password to continue.
>
> Is it default behavior by design?
>

Yes, but... Depends on whether the user is doing it locally or remotely,
and whether they're the only person who's logged in or whether there are
other users as well. There are different rules in systemd for these cases.

I'm not entirely sure why reboot is treated differently from halt, though.
>From my experience, *neither* is allowed over remote (SSH) sessions by
default.

I dont think a non-privileged user could reboot the system as he/she
> wishes.
>

It hasn't been true for a long time that a user is either fully privileged
or not privileged at all, and nothing in between.

For example, in the case of systemctl, locally logged in users are allowed
to call `systemctl poweroff` because they could just as well pull the plug.
But the exact same user, logged in via SSH, will not be allowed it.

In most everyday installations (talking about other operating systems),
rebooting the local system is a default privilege that even "unprivileged"
users have...

And I do think that defaults should be suitable for the majority, leaving
the burden of customization to unusual sites (kiosks, clusters) – not the
other way around.


> btw, I'm in an HPC related domain, if this behavior of systemctl is
> allowed, every single user could reboot the whole cluster as they wish,
> it's a disaster.
>

Then don't allow it. Change your polkit (PolicyKit) rules to block all
reboot-related actions.

(Check the journal to see which specific action was authorized, though –
the same reboot command can use a few different action IDs to apply
different rules.)

If CentOS uses JS-based rules, here are some examples:
https://gist.github.com/grawity/3886114

Debian's polkit uses the older .pkla format, which is simpler but I don't
have a good example on hand.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20201028/ed936298/attachment.htm>


More information about the systemd-devel mailing list