Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Shutdown GNOME without root password

  1. #1

    Question Shutdown GNOME without root password

    I am currently trying to install and harden OpenSUSE 13.2 with GNOME. I used YaST2 > Security Center and Hardening > Miscellaneous Settings > File Permissions to switch from Easy to Secure (as suggested in the description of /etc/permissions.secure for a networked installation). GNOME now requires me to enter the root password at shutdown. I understand the reasoning behind that, nevertheless I need to allow specific users to perform the shutdown without the need to enter any Password and without giving them root privileges. Setting DISPLAYMANAGER_SHUTDOWN to all (in YaST2 > /etc/sysconfig Editor > Desktop > Display manager) did not change anything to this behavior. Any ideas on how to solve this problem?

  2. #2
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    15,011
    Blog Entries
    3

    Default Re: Shutdown GNOME without root password

    I don't normally use "gdm" or Gnome. I recall once seeing that message when shutting down from Gnome. Is that usual, or was that an unusual occurrence?

    In any case, I didn't provide the root password. I just did a "logout" and then I shutdown from the login screen.

    I sometimes have a similar problem in KDE. It does not ask for root password. But when I shutdown, it just gets me back to the login screen. I can shutdown from there. I think that happens when there has been an update to "systemd". The update restarts systemd, and that disrupts communication between the desktop and systemd until the next reboot.

    Instruct your users to logout and shutdown from the login screen. And reboot your system to see if that resolves the issue.
    openSUSE Leap 15.2; KDE Plasma 5.18.5;

  3. #3

    Default Re: Shutdown GNOME without root password

    This is normal behavior and, as far as I understand, expected when enabling Secure for File Permissions. Logging out and then shutting down is not a possible workaround, as shutting down from the login screen still requires the root password.

  4. #4
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    30,938
    Blog Entries
    15

    Default Re: Shutdown GNOME without root password

    On Sun 12 Apr 2015 01:16:01 PM CDT, nu2openS wrote:


    I am currently trying to install and harden OpenSUSE 13.2 with GNOME. I
    used YaST2 > Security Center and Hardening > Miscellaneous Settings >
    File Permissions to switch from Easy to Secure (as suggested in the
    description of /etc/permissions.secure for a networked installation).
    GNOME now requires me to enter the root password at shutdown. I
    understand the reasoning behind that, nevertheless I need to allow
    specific users to perform the shutdown without the need to enter any
    Password and without giving them root privileges. Setting
    DISPLAYMANAGER_SHUTDOWN to all (in YaST2 > /etc/sysconfig Editor >
    Desktop > Display manager) did not change anything to this behavior. Any
    ideas on how to solve this problem?


    Hi
    Use visudo to configure the users your wanting to allow access to the
    shutdown command with .
    Code:
    <some user> ALL = NOPASSWD: /sbin/shutdown
    --
    Cheers Malcolm °¿° LFCS, SUSE Knowledge Partner (Linux Counter #276890)
    SUSE Linux Enterprise Desktop 12 GNOME 3.10.1 Kernel 3.12.39-47-default
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!


  5. #5

    Default Re: Shutdown GNOME without root password

    Quote Originally Posted by malcolmlewis View Post
    Hi
    Use visudo to configure the users your wanting to allow access to the
    shutdown command with .
    Code:
    <some user> ALL = NOPASSWD: /sbin/shutdown
    Just tried it out. It works as a workaround when the user is typing "sudo shutdown now" in the terminal. But when shutting "normally" via the GUI, GNOME still asks for the root password.

    I am still looking for a solution to get GNOME (aka shutdown via GUI) to not ask for the root password in conjunction with file permissions set to secure. Other ideas?

  6. #6
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    30,938
    Blog Entries
    15

    Default Re: Shutdown GNOME without root password

    Hi
    In /etc/ fgrep on "shut" are there and polikit changes. In SLES 12, in /etc/YaST2 control.xml and ProductFeatures root is mentioned to shutdown, on my default openSUSE 13.2 install there is no mention. Have these entries been added?
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    SUSE SLE, openSUSE Leap/Tumbleweed (x86_64) | GNOME DE
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!

  7. #7

    Default Re: Shutdown GNOME without root password

    Fgrep found this:
    Code:
    /etc/polkit-default-privs.restrictive:org.opensuse.yast.system.power-management.shutdown              no
    /etc/polkit-default-privs.restrictive:org.freedesktop.login1.inhibit-block-shutdown                   no:yes:yes
    /etc/polkit-default-privs.restrictive:org.freedesktop.login1.inhibit-delay-shutdown                   yes
    /etc/polkit-default-privs.standard:org.opensuse.yast.system.power-management.shutdown              no
    /etc/polkit-default-privs.standard:org.freedesktop.login1.inhibit-block-shutdown                   no:yes:yes
    /etc/polkit-default-privs.standard:org.freedesktop.login1.inhibit-delay-shutdown                   yes

  8. #8
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    30,938
    Blog Entries
    15

    Default Re: Shutdown GNOME without root password

    On Sun 12 Apr 2015 03:06:01 PM CDT, nu2openS wrote:


    Fgrep found this:

    Code:
    --------------------
    /etc/polkit-default-privs.restrictive:org.opensuse.yast.system.power-management.shutdown
    no /etc/polkit-default-privs.restrictive:org.freedesktop.login1.inhibit-block-shutdown
    no:yes:yes /etc/polkit-default-privs.restrictive:org.freedesktop.login1.inhibit-delay-shutdown
    yes /etc/polkit-default-privs.standard:org.opensuse.yast.system.power-management.shutdown
    no /etc/polkit-default-privs.standard:org.freedesktop.login1.inhibit-block-shutdown
    no:yes:yes /etc/polkit-default-privs.standard:org.freedesktop.login1.inhibit-delay-shutdown
    yes --------------------


    Hi
    Have a read of the DISPLAYMANAGER_SHUTDOWN comments, should be set to
    auto and then tweaked in the polikit-default-privs mechanism. Try auto
    first and see how that goes. Probably pay to re-edit visudo as well to
    remove the entry.
    --
    Cheers Malcolm °¿° LFCS, SUSE Knowledge Partner (Linux Counter #276890)
    SUSE Linux Enterprise Desktop 12 GNOME 3.10.1 Kernel 3.12.39-47-default
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!
    Last edited by malcolmlewis; 12-Apr-2015 at 08:19.

  9. #9

    Default Re: Shutdown GNOME without root password

    Quote Originally Posted by malcolmlewis View Post
    Hi
    Have a read of the DISPLAYMANAGER_SHUTDOWN comments, should be set to
    auto and then tweaked in the polikit-default-privs mechanism. Try auto
    first and see how that goes. Probably pay to re-edit visudo as well to
    remove the entry.
    As far as I understand the comment to DISPLAYMANAGER_SHUTDOWN it means that this config item only applies to KDM and not to GDM. And "auto" in combination with PERMISSION_SECURITY set to "secure local" would mean that only root can shutdown - exactly the opposite of what I am looking for, thus I doubt that "auto" would be the correct setting.

    GDM, as you pointed out, uses polkit-default-privs according to the comment. But what tweak do you mean?

    I tried the following without success:
    I added "org.opensuse.yast.system.power-management.shutdown yes" to "/etc/polkit-default-privs.local" and applied the change by running "sudo set_polkit_default_privs".
    I also tried to add "org.freedesktop.ConsoleKit.Manager.Stop yes" instead, but no change to the behavior. I also tested both with and without the entry in visudo. I also gave switching to "auto" instead of "all" a try, but with no result.

  10. #10

    Default Re: Shutdown GNOME without root password

    Quote Originally Posted by nu2openS View Post
    GDM, as you pointed out, uses polkit-default-privs according to the comment.
    Yes, and the root password dialog should tell you what exact polkit rule requires you to enter the password.

    So have a look there and then override the corresponding rule to /etc/polkit-default-privs.local (run set_polkit_default_privs to apply the change).
    I think it is "org.freedesktop.login1.power-off" for shutting down.

    If you only want to allow it for specific users, this should be doable as well via custom javascript code in /etc/polkit-1/rules.d/ but I have never tried to do this myself.
    This should give some clues though:
    https://wiki.archlinux.org/index.php/Polkit#Bypass_password_prompt

    PS: visudo/sudoers is only used/respected by sudo. polkit is totally independent of that though.
    Last edited by wolfi323; 13-Apr-2015 at 06:49.

Page 1 of 2 12 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •