If I set file permissions to secure XFCE is asking for root password when I want to reboot.
How can I make so that I have the secure file permissions but be able to reboot without having to enter root password?
Try to add something like this to the file /etc/polkit-default-privs.local :
org.freedesktop.login1.reboot auth_admin_keep:auth_admin_keep:yes
And run “set_polkit_default_privs” (as root) afterwards to apply the change.
That line is literally taken from the “easy”/“standard” defaults. You could also say just “yes” instead of “auth_admin_keep:auth_admin_keep:yes”, but then also users logged in remotely e.g. could reboot the system.
Or just don’t use the “secure” settings, they are not meant for standard desktop usage, and probably will cause you to have to enter the root password for other things as well (like mounting an USB stick/drive). That might also depend on the desktop you use though.
In any case, you can always override selected polkit rules via /etc/polkit-default-privs.local.
Thanks wolfi. I did what you suggest however it is still asking for root password to reboot.
What actually happens is:
- I click logout from XFCE. Then click reboot
- I am being asked for root password.
and if I don’t give it (simply wait a few seconds without doing anything) the dialog hides and I am logged out of XFCE but the machine doesn’t reboot.
Hm, if you didn’t make a mistake, then apparently systemctl/logind is not used to trigger the reboot.
- I click logout from XFCE. Then click reboot
So you are actually clicking reboot on the login screen, not in XFCE.
And what login/display manager are you using?
Have a look into /etc/sysconfig/displaymanager if you are not sure.
Have you tried just “yes” too? I am not sure that your login manager will run in an active console…
Btw, “systemctl reboot” should work as user without root password now, right?
PS: If its kdm (the default if you did a KDE installation and installed XFCE afterwards), try to set DISPLAYMANAGER_SHUTDOWN=“all” in /etc/sysconfig/displaymanager (open it in a text editor and modify the existing line).
The default is “auto”, which means it depends on the security settings, implying only root can shutdown in your case.
See also the comment in the file:
# Determine who will be able to shutdown or reboot the system in kdm. Valid
# values are: "root" (only root can shutdown), "all" (everybody can shutdown),
# "none" (nobody can shutdown from displaymanager), "auto" (follow
# System/Security/Permissions/PERMISSION_SECURITY to decide: "easy local" is
# equal to "all", everything else is equal to "root"). gdm respects the
# PolicyKit settings for ConsoleKit. Shutdown configuration can be done via
# the polkit-default-privs mechanism.
My bad! There was a root user logged in via ssh. Without that I am able to reboot without any prompts.
Also:
DISPLAYMANAGER="lightdm"
(I chose XFCE directly during installation)
Thanks!
Ok, in that case the org.freedesktop.login1.reboot-multiple-sessions rule is relevant I think.
You could override that one too to be able to reboot without password when additional sessions are open.
But that probably depends on your likings too.
Thanks for explaing. So I should add this line too:
org.freedesktop.login1.reboot-multiple-sessions auth_admin_keep:auth_admin_keep:yes
Correct?
Also where can I read and learn more about these things?
Yes, if you want to not have to enter the root password in this case as well.
Also where can I read and learn more about these things?
Maybe:
man polkit
man polkit-default-privs
man set_polkit_default_privs
Some good information can only be found on the Arch Wiki (as usual):
https://wiki.archlinux.org/index.php/Polkit
Note that (open)SUSE provides an abstraction via polkit-default-privs, so you don’t have to write the actual rules in JavaScript yourself (although you can).
And here’s the corresponding chapter from the SLED 12 security manual:
Thanks for your help!