Disable or remove suspend and switch user from KDE start menu

I want to remove all menu entries to reboot, shutdown etc. from the KDE start menu.
I managed to configure that except the two entries “Switch user” and “Suspend”.

How can I disable or remove these entries from the KDE start menu?

What I’ve done so far:
I disabled “Offer shutdown options” in the “KDE system settings” Start => Configure Desktop => Startup and Shutdown => Desktop Session

I added the following lines to /etc/xdg/kdeglobals:

[KDE Action Restrictions]$i]
logout=false
action/lock_screen=false
action/switch_user=false

[KDE Control Module Restrictions]$i]
kcm_sddm.desktop=false

Anyhow “Switch user” and “Suspend” is still visible and possible to run.

I also tried to use the polkit system but it has no effect. I added the following lines to /etc/polkit-default-privs.local:

org.freedesktop.upower.suspend                         no:no:no
org.freedesktop.upower.hibernate                       no:no:no
org.freedesktop.login1.suspend                                  no:no:no
org.freedesktop.login1.suspend-multiple-sessions                no:no:no
org.freedesktop.login1.hibernate                                no:no:no

After that I executed set_polkit_default_privs.
Anyhow it is not accepted:

# pkaction -v --action-id=org.freedesktop.login1.suspend
org.freedesktop.login1.suspend:
  description:       Suspend the system
  message:           Authentication is required for suspending the system.
  vendor:            The systemd Project
  vendor_url:        http://www.freedesktop.org/wiki/Software/systemd
  icon:
  implicit any:      auth_admin_keep
  implicit inactive: auth_admin_keep
  implicit active:   yes

Can you give me a hint, why the polkit configuration is not used?

I am using:

  • openSUSE 15.1
  • all updates installed
  • KDE Plasma: 5.12.8
  • KDE Frameworks: 5.55.0

Thanks!
Uli

Run this command to create a polkit rule. I’m not sure if it can handle the switch user.

# remove suspend option from menus
sudo tee /etc/polkit-1/rules.d/10-disable-suspend.rules >/dev/null <<EOF
polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.login1.suspend" ||
        action.id == "org.freedesktop.login1.suspend-multiple-sessions")
    {
        return polkit.Result.NO;
    }
});
EOF

Thanks for your suggestion. Unfortunately it does not remove the Suspend button from the KDE menu.

Although I have created the file as suggested pkaction still reports that suspend is allowed (after a reboot):

# pkaction -v --action-id=org.freedesktop.login1.suspend
org.freedesktop.login1.suspend:
  description:       Suspend the system
  message:           Authentication is required for suspending the system.
  vendor:            The systemd Project
  vendor_url:        http://www.freedesktop.org/wiki/Software/systemd
  icon:
  implicit any:      auth_admin_keep
  implicit inactive: auth_admin_keep
  implicit active:   yes
# ls -l /etc/polkit-1/rules.d/
total 64
-rw-r--r-- 1 root root   245 May  6 07:20 10-disable-suspend.rules
-rw-r--r-- 1 root root   321 Jul 30  2019 50-default.rules
-rw-r--r-- 1 root root 55837 May  5 14:39 90-default-privs.rules

It seems as if the polkit rules are ignored. Is there any way to check which polkit rule from which polkit config file is used?

Thanks!

P.S.: I managed to remove the “Switch user” button by adding action/start_new_session=false to kdeglobals.

The ‘pkaction’ command does not reflect the active polkit configuration unfortunately. It simply reports the configs defined in /usr/share/polkit-1/actions AFAIR. (The administrator over-rides are therefore not shown.)

That works for me as expected (the pertinent options are now excluded from KDE). The command should save these config changes to /etc/polkit-1/rules.d /90-default-privs.rules

Perhaps show

sudo cat /etc/polkit-1/rules.d/90-default-privs.rules|egrep -A1 "hibernate|suspend"

Just in case this thread is of interest
https://forum.kde.org/viewtopic.php?f=289&t=140412#p376513

In particular the comment about the KDE Kiosk restrictions…
https://userbase.kde.org/KDE_System_Administration/Kiosk/Introduction

Thanks, so pkaction is not the correct tool to check the privs.

The 90-default-privs.rules seems to contain the right settings:

# cat /etc/polkit-1/rules.d/90-default-privs.rules|egrep -A1 "hibernate|suspend"
                'org.freedesktop.login1.inhibit-handle-hibernate-key':
                         'no', 'yes', 'yes' ],
--
                'org.freedesktop.login1.inhibit-handle-suspend-key':
                         'no', 'no', 'no' ],
--
                'org.freedesktop.login1.hibernate-multiple-sessions':
                         'no', 'no', 'no' ],
--
                'org.freedesktop.login1.suspend-ignore-inhibit':
                         'no', 'no', 'no' ],
--
                'org.libvirt.api.domain.suspend':
                         'auth_admin_keep', 'auth_admin_keep', 'auth_admin_keep' ],
--
                'org.freedesktop.upower.hibernate':
                         'no', 'no', 'no' ],
--
                'org.freedesktop.upower.suspend':
                         'no', 'no', 'no' ],
--
                'org.freedesktop.login1.suspend':
                         'no', 'no', 'no' ],
--
                'org.freedesktop.login1.suspend-multiple-sessions':
                         'no', 'no', 'no' ],
--
                'org.libvirt.api.domain.hibernate':
                         'auth_admin_keep', 'auth_admin_keep', 'auth_admin_keep' ],
--
                'org.freedesktop.login1.hibernate':
                         'no', 'no', 'no' ],
--
                'org.freedesktop.login1.hibernate-ignore-inhibit':
                         'auth_admin_keep', 'auth_admin_keep', 'auth_admin_keep' ],

Anyhow the suspend button is still visible so there seem to be another config that overrides the polkit settings?
Maybe somethings wrong with /etc/sysconfig/security ?

# cat /etc/sysconfig/security
## Path:        System/Security/Permissions
## Description: Configuration of permissions on the system
## Type:        string
## Default:     "easy local"
#
# Permission settings to use. By default 'easy', 'secure' and
# 'paranoid' exist. You may define your own though.
#
PERMISSION_SECURITY="easy local"

## Description: Use filesystem capabilities for more finegrained permission handling
## Type:        yesno
## Default:     "yes"
#
# Flag whether to use filesystem capabilities for finegrained
# access control (compared to setuid) or not.
#
PERMISSION_FSCAPS=""
## Path:        System/Security/PolicyKit
## Description: Configuration of default PolicyKit privileges
## Type:        list(set,warn,no)
## Default:     set
## Config:      set_polkit_default_privs
#
# set_polkit_default_privs can check PolicyKit default privileges.
# Setting this variable to "set" will change privileges that don't match the
# default. Setting to "warn" only prints a warning and "no" will
# disable this feature.
#
# Defaults to "set" if not specified
#
CHECK_POLKIT_PRIVS="set"

## Type:        string
## Default:     "standard"
## Config:      set_polkit_default_privs
#
# SUSE ships with two sets of default privilege settings. These are
# "standard" and "restrictive".
#
# Examples: "standard", "restrictive foo bar"
#
# If not set the value depends on the setting of
# PERMISSION_SECURITY. If PERMISSION_SECURITY contains 'secure' or
# 'paranoid' the value will be 'restrictive', otherwise 'standard'.
#
# The 'local' file is always evaluated and takes precedence over all
# other files.
#
POLKIT_DEFAULT_PRIVS=""
## Type:        list(yes,yast,no)
## Default:     yes
#
# When working with packages and installation sources, check keys
# and signatures: yes = in YaST and ZENWorks, yast = in YaST, no =
# no checking.
#
CHECK_SIGNATURES="yes"

or /etc/sysconfig/displaymanager ?

# cat /etc/sysconfig/displaymanager
## Path:        Desktop/Display manager
## Type:        string(Xorg)
## Default:     "Xorg"
#
DISPLAYMANAGER_XSERVER="Xorg"
## Path:        Desktop/Display manager
## Description: settings to generate a proper displaymanager config
## Type:        string(kdm,xdm,gdm,wdm,entrance,console,lightdm,sddm)
## Default:     ""
#
# Here you can set the default Display manager (kdm/xdm/gdm/wdm/entrance/console).
# all changes in this file require a restart of the displaymanager
#
DISPLAYMANAGER="sddm"
## Path:        Desktop/Display manager
## Description: settings to generate a proper displaymanager config
## Type:        yesno
## Default:     no
#
# Allow remote access (XDMCP) to your display manager (xdm/kdm/gdm). Please note
# that a modified kdm or xdm configuration, e.g. by KDE control center
# will not be changed. For gdm, values will be updated after change.
# XDMCP service should run only on trusted networks and you have to disable
# firewall for interfaces, where you want to provide this service.
#
DISPLAYMANAGER_REMOTE_ACCESS="no"

## Type:        yesno
## Default:     no
#
# Allow remote access of the user root to your display manager. Note
# that root can never login if DISPLAYMANAGER_SHUTDOWN is "auto" and
# System/Security/Permissions/PERMISSION_SECURITY is "paranoid"
#
DISPLAYMANAGER_ROOT_LOGIN_REMOTE="no"

## Type:        yesno
## Default:     yes
#
# Let the displaymanager start a local Xserver.
# Set to "no" for remote-access only.
# Set to "no" on architectures without any Xserver (e.g. s390/s390x).
#
DISPLAYMANAGER_STARTS_XSERVER="yes"

## Type:        yesno
## Default:     no
#
# TCP port 6000 of Xserver. When set to "no" (default) Xserver is
# started with "-nolisten tcp". Only set this to "yes" if you really
# need to. Remote X service should run only on trusted networks and
# you have to disable firewall for interfaces, where you want to
# provide this service. Use ssh X11 port forwarding whenever possible.
#
DISPLAYMANAGER_XSERVER_TCP_PORT_6000_OPEN="no"

## Type:    string
## Default:
#
# Define the user whom should get logged in without request. If string
# is empty, display standard login dialog.
#
DISPLAYMANAGER_AUTOLOGIN="terminal"

## Type:        yesno
## Default:     no
#
# Allow all users to login without password, but ask for the user, if
# DISPLAYMANAGER_AUTOLOGIN is empty.
#
DISPLAYMANAGER_PASSWORD_LESS_LOGIN="no"

## Type:        yesno
## Default:     no
#
# Display a combobox for Active Directory domains.
#
DISPLAYMANAGER_AD_INTEGRATION="no"

## Type:    list(root,all,none,auto)
## Default: auto
#
# Determine who will be able to shutdown or reboot the system in kdm.  Valid
# values are: "root" (only root can shutdown), "all" (everybody can shutdown),
# "none" (nobody can shutdown from displaymanager), "auto" (follow
# System/Security/Permissions/PERMISSION_SECURITY to decide: "easy local" is
# equal to "all", everything else is equal to "root").  gdm respects the
# PolicyKit settings for ConsoleKit. Shutdown configuration can be done via
# the polkit-default-privs mechanism.
#
DISPLAYMANAGER_SHUTDOWN="none"

Why not remove tab ‘Leave’ in Application Launcher using its settings menu?

Actually I am using the “Application Menu” and not the “Application Launcher”.
When switching to Application Launcher it is possible to remove the “Leave” menu.

Thanks

P.S. I am still curious why the polkit settings did have no effect…

Did you investigate the KDE thread and KDE Kiosk restrictions page I linked to?

For sure it takes effect for new sessions but not for existing ones.

Yes, I found both pages before starting this thread. Anyhow I did not find any KDE submit action.

I added the following lines to /etc/xdg/kdeglobals and that removed the “Switch user” and “Lock” item:

[KDE Action Restrictions]$i]
logout=false
action/lock_screen=false
action/switch_user=false
action/start_new_session=false

[KDE Control Module Restrictions]$i]
kcm_sddm.desktop=false
kcmsmserver.desktop=false



It did not take effect even after a reboot or better: KDE does not care about even after a reboot.

What are your versions:

erlangen:~ # zypper se --installed-only --details polkit
Loading repository data...
Reading installed packages...

S | Name                    | Type    | Version                   | Arch   | Repository
--+-------------------------+---------+---------------------------+--------+--------------------
i | libpolkit-qt5-1-1       | package | 0.113.0-1.4               | x86_64 | openSUSE-20191106-0
i | libpolkit0              | package | 0.116-3.3                 | x86_64 | openSUSE-20191106-0
i | polkit                  | package | 0.116-3.3                 | x86_64 | openSUSE-20191106-0
i | polkit-default-privs    | package | 1550+20200417.940923e-1.1 | noarch | openSUSE-20191106-0
i | polkit-kde-agent-5      | package | 5.18.4.1-1.1              | x86_64 | openSUSE-20191106-0
i | polkit-kde-agent-5-lang | package | 5.18.4.1-1.1              | noarch | openSUSE-20191106-0
erlangen:~ # 

What are your changes:

erlangen:~ # rpm -V polkit polkit-default-privs polkit-kde-agent-5 polkit-kde-agent-5-lang
S.5....T.  c /etc/polkit-default-privs.local
erlangen:~ # 
# zypper se --installed-only --details polkit
Loading repository data...
Reading installed packages...

S  | Name                    | Type    | Version           | Arch   | Repository
---+-------------------------+---------+-------------------+--------+-----------------------
i+ | libpolkit-qt-1-1        | package | 0.112.0-lp151.2.2 | x86_64 | Main Repository
i+ | libpolkit-qt5-1-1       | package | 0.112.0-lp151.2.3 | x86_64 | Main Repository
i+ | libpolkit0              | package | 0.114-lp151.5.3.1 | x86_64 | Main Update Repository
i+ | polkit                  | package | 0.114-lp151.5.3.1 | x86_64 | Main Update Repository
i+ | polkit-default-privs    | package | 13.2-lp151.16.6.1 | noarch | Main Update Repository
i+ | polkit-kde-agent-5      | package | 5.12.8-lp151.1.2  | x86_64 | Main Repository
i+ | polkit-kde-agent-5-lang | package | 5.12.8-lp151.1.2  | noarch | Main Repository
i+ | typelib-1_0-Polkit-1_0  | package | 0.114-lp151.5.3.1 | x86_64 | Main Update Repository

#  rpm -V polkit polkit-default-privs polkit-kde-agent-5 polkit-kde-agent-5-lang
.....U...    /etc/polkit-1/rules.d
.....U...    /usr/share/polkit-1/rules.d
S.5....T.  c /etc/polkit-default-privs.local
# ll /etc/polkit-1/rules.d/
total 60
-rw-r--r-- 1 root root   321 Jul 30  2019 50-default.rules
-rw-r--r-- 1 root root 55757 May  6 09:46 90-default-privs.rules

# grep -i -A1 suspend /etc/polkit-1/rules.d/*
/etc/polkit-1/rules.d/90-default-privs.rules:           'org.freedesktop.login1.inhibit-handle-suspend-key':
/etc/polkit-1/rules.d/90-default-privs.rules-                    'no', 'no', 'no' ],
--
/etc/polkit-1/rules.d/90-default-privs.rules:           'org.freedesktop.login1.suspend-ignore-inhibit':
/etc/polkit-1/rules.d/90-default-privs.rules-                    'no', 'no', 'no' ],
--
/etc/polkit-1/rules.d/90-default-privs.rules:           'org.libvirt.api.domain.suspend':
/etc/polkit-1/rules.d/90-default-privs.rules-                    'auth_admin_keep', 'auth_admin_keep', 'auth_admin_keep' ],
--
/etc/polkit-1/rules.d/90-default-privs.rules:           'org.freedesktop.upower.suspend':
/etc/polkit-1/rules.d/90-default-privs.rules-                    'no', 'no', 'no' ],
--
/etc/polkit-1/rules.d/90-default-privs.rules:           'org.freedesktop.login1.suspend':
/etc/polkit-1/rules.d/90-default-privs.rules-                    'no', 'no', 'no' ],
--
/etc/polkit-1/rules.d/90-default-privs.rules:           'org.freedesktop.login1.suspend-multiple-sessions':
/etc/polkit-1/rules.d/90-default-privs.rules-                    'no', 'no', 'no' ],
#  

# ll /usr/share/polkit-1/rules.d/
total 8
-rw-r--r-- 1 root root 257 Oct 22  2019 org.freedesktop.packagekit.rules
-rw-r--r-- 1 root root 330 Mar 25 15:28 systemd-networkd.rules

# grep -i suspend /usr/share/polkit-1/rules.d/*
#

I made the following changes, which work:

erlangen:~ # cat /etc/polkit-default-privs.local
#
# /etc/polkit-default-privs.local
#
# This file is used by the set_polkit_default_privs tool to generate polkit
# rules. It is meant for local overrides of the active profile (defined in
# /etc/sysconfig/security) by the administrator of the system: any definitions
# here take precedence over the distribution defaults in
# /etc/polkit-default-privs.<profile>.
#
# The syntax for this file is defined in polkit-default-privs(5). Note that you
# need to run /sbin/set_polkit_default_privs for changes to take effect.
org.freedesktop.login1.inhibit-handle-hibernate-key no:no:no
org.freedesktop.login1.hibernate no:no:no
org.freedesktop.login1.hibernate-multiple-sessions no:no:no
org.freedesktop.login1.hibernate-ignore-inhibit no:no:no
erlangen:~ # 

erlangen:~ # grep -i -A1 hibernate /etc/polkit-1/rules.d/*
/etc/polkit-1/rules.d/90-default-privs.rules:           'org.freedesktop.login1.hibernate':
/etc/polkit-1/rules.d/90-default-privs.rules-                    'no', 'no', 'no' ],
/etc/polkit-1/rules.d/90-default-privs.rules:           'org.freedesktop.login1.hibernate-ignore-inhibit':
/etc/polkit-1/rules.d/90-default-privs.rules-                    'no', 'no', 'no' ],
/etc/polkit-1/rules.d/90-default-privs.rules:           'org.freedesktop.login1.hibernate-multiple-sessions':
/etc/polkit-1/rules.d/90-default-privs.rules-                    'no', 'no', 'no' ],
--
/etc/polkit-1/rules.d/90-default-privs.rules:           'org.freedesktop.login1.inhibit-handle-hibernate-key':
/etc/polkit-1/rules.d/90-default-privs.rules-                    'no', 'no', 'no' ],
--
/etc/polkit-1/rules.d/90-default-privs.rules:           'org.freedesktop.upower.hibernate':
/etc/polkit-1/rules.d/90-default-privs.rules-                    'auth_admin', 'auth_admin', 'yes' ],
--
/etc/polkit-1/rules.d/90-default-privs.rules:           'org.libvirt.api.domain.hibernate':
/etc/polkit-1/rules.d/90-default-privs.rules-                    'auth_admin_keep', 'auth_admin_keep', 'auth_admin_keep' ],
erlangen:~ # 

The hibernate button is gone in the Application Launcher.

Thanks for your efforts!

I installed your polkit-default-privs.local file, ran set_polkit_default_privs and rebooted the system.
Anyhow the Suspend button is still visible and active :frowning:

I guess there’s somethings buggy in my versions of KDE and/or polkit.
Or there is some other setting why the polkit settings are not respected.

What about packages libpolkit-qt-1-1 and typelib-1_0-Polkit-1_0? Try to remove them.

I have removed them but Suspend is still visible.

Updated Leap 15.1. It has no hibernate button from scratch. zypper se -is polkit finds:

erlangen:~ # cat /mnt/root/zypper.polkit 
Loading repository data...
Reading installed packages...

S | Name                    | Type    | Version           | Arch   | Repository            
--+-------------------------+---------+-------------------+--------+-----------------------
i | gconf-polkit            | package | 3.2.6-lp151.2.3   | x86_64 | Main Repository       
i | libpolkit-qt5-1-1       | package | 0.112.0-lp151.2.3 | x86_64 | Main Repository       
i | libpolkit0              | package | 0.114-lp151.5.3.1 | x86_64 | Main Update Repository
i | polkit                  | package | 0.114-lp151.5.3.1 | x86_64 | Main Update Repository
i | polkit-default-privs    | package | 13.2-lp151.16.6.1 | noarch | Main Update Repository
i | polkit-kde-agent-5      | package | 5.12.8-lp151.1.2  | x86_64 | Main Repository       
i | polkit-kde-agent-5-lang | package | 5.12.8-lp151.1.2  | noarch | Main Repository       
erlangen:~ # 

Make sure you only use recommended repos (you can disable additional repos and enable them when done) :

erlangen:~ # ll /mnt/etc/zypp/repos.d/
total 44
-rw-r--r-- 1 root root 189 Nov 21 22:02 repo-debug-non-oss.repo
-rw-r--r-- 1 root root 193 Nov 21 22:02 repo-debug-update-non-oss.repo
-rw-r--r-- 1 root root 172 Nov 21 22:02 repo-debug-update.repo
-rw-r--r-- 1 root root 167 Nov 21 22:02 repo-debug.repo
**-rw-r--r-- 1 root root 171 Nov 21 22:04 repo-non-oss.repo**
**-rw-r--r-- 1 root root 160 Nov 21 22:04 repo-oss.repo**
-rw-r--r-- 1 root root 192 Nov 21 22:02 repo-source-non-oss.repo
-rw-r--r-- 1 root root 170 Nov 21 22:02 repo-source.repo
**-rw-r--r-- 1 root root 176 Nov 21 22:04 repo-update-non-oss.repo**
**-rw-r--r-- 1 root root 159 Nov 21 22:04 repo-update.repo**
erlangen:~ #