I’m testing Leap in a VM. When file-permissions are set from “easy” to “secure” via Yast-“Security and hardening”, even a “trusted” user can’t reboot or shutdown the system any more.
For a reboot/shutdown the system wants root-privilegdes. When I abort the procedure or don’t do anything for a few seconds, I’m automatically logged out and it’s back to login.
The “Shutdown behaviour of login manager” is set to “All users”.
Display manager is lightdm.
I’ve checked etc/permissions.secure but can’t see anything obvious.
First: the same settings have been working in 13.1 for years now. So “secure” does NOT do that - at least not in 13.1.
Second: Even with file permissions set to “secure”: why should a workstation-user not be able to reboot/shutdown the system if it is explicitly configured that way?
Third: What would permissions.secure etc. be good for if not for adapting the system to one’s needs/likings?
You can always modify the settings. it is not written in stone the. The rules are just some lines in a file.
But in secure the user should not have the permission to shut the system down with out root authority. Remember that Linux is multi user and you would not want everyone that may be running on the system to be able to unilaterally shut the system down. If it is a single user system why change the default permissions at all? It just makes any user need root to do system level changes.
The reboot/shutdown-behaviour is obviously unrelated to the file-permissions defined in etc/permissions.*:
I renamed permissions.easy to permissions.secure. But reboot was still not possible without root-privs when file-permissions are set to “secure” in Yast’s “Security center and system hardening”.
So something else is done which was not the case in 13.1/12.3 and probably earlier. Would be nice to know what it is and how to change it.
As a workaround I’ve renamed permissions.secure to permissions.easy and have set file-permissions in “Security center…” to “easy”.
I think it is misleading to establish an intransparent link between file-permissions-setting and reboot/shutdown-behaviour and at the same time disallow reboot/shutdown when it is explicitly set to “all users” with the same tool.
Sorry was not sure were it was there are several place it could have been and I’d would have had to look for it myself/ just knew you could do it I always just use the defaults which I’m happy with.
Well, given the myriad of options and combinations of them it’s almost impossible to NOT forget how to use/set some of them.
The file to look at in this case is /etc/sysconfig/security. There’s an explanation why setting file-permissions to “secure” also leads to more restrictive polkit-settings. And how to override this.
