I am currently trying to install and harden OpenSUSE 13.2 with GNOME. I used YaST2 > Security Center and Hardening > Miscellaneous Settings > File Permissions to switch from Easy to Secure (as suggested in the description of /etc/permissions.secure for a networked installation). GNOME now requires me to enter the root password at shutdown. I understand the reasoning behind that, nevertheless I need to allow specific users to perform the shutdown without the need to enter any Password and without giving them root privileges. Setting DISPLAYMANAGER_SHUTDOWN to all (in YaST2 > /etc/sysconfig Editor > Desktop > Display manager) did not change anything to this behavior. Any ideas on how to solve this problem?
I don’t normally use “gdm” or Gnome. I recall once seeing that message when shutting down from Gnome. Is that usual, or was that an unusual occurrence?
In any case, I didn’t provide the root password. I just did a “logout” and then I shutdown from the login screen.
I sometimes have a similar problem in KDE. It does not ask for root password. But when I shutdown, it just gets me back to the login screen. I can shutdown from there. I think that happens when there has been an update to “systemd”. The update restarts systemd, and that disrupts communication between the desktop and systemd until the next reboot.
Instruct your users to logout and shutdown from the login screen. And reboot your system to see if that resolves the issue.
This is normal behavior and, as far as I understand, expected when enabling Secure for File Permissions. Logging out and then shutting down is not a possible workaround, as shutting down from the login screen still requires the root password.
On Sun 12 Apr 2015 01:16:01 PM CDT, nu2openS wrote:
I am currently trying to install and harden OpenSUSE 13.2 with GNOME. I
used YaST2 > Security Center and Hardening > Miscellaneous Settings >
File Permissions to switch from Easy to Secure (as suggested in the
description of /etc/permissions.secure for a networked installation).
GNOME now requires me to enter the root password at shutdown. I
understand the reasoning behind that, nevertheless I need to allow
specific users to perform the shutdown without the need to enter any
Password and without giving them root privileges. Setting
DISPLAYMANAGER_SHUTDOWN to all (in YaST2 > /etc/sysconfig Editor >
Desktop > Display manager) did not change anything to this behavior. Any
ideas on how to solve this problem?
Hi
Use visudo to configure the users your wanting to allow access to the
shutdown command with .
<some user> ALL = NOPASSWD: /sbin/shutdown
–
Cheers Malcolm °¿° LFCS, SUSE Knowledge Partner (Linux Counter #276890)
SUSE Linux Enterprise Desktop 12 GNOME 3.10.1 Kernel 3.12.39-47-default
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below… Thanks!
Just tried it out. It works as a workaround when the user is typing “sudo shutdown now” in the terminal. But when shutting “normally” via the GUI, GNOME still asks for the root password.
I am still looking for a solution to get GNOME (aka shutdown via GUI) to not ask for the root password in conjunction with file permissions set to secure. Other ideas?
Hi
In /etc/ fgrep on “shut” are there and polikit changes. In SLES 12, in /etc/YaST2 control.xml and ProductFeatures root is mentioned to shutdown, on my default openSUSE 13.2 install there is no mention. Have these entries been added?
Fgrep found this:
/etc/polkit-default-privs.restrictive:org.opensuse.yast.system.power-management.shutdown no
/etc/polkit-default-privs.restrictive:org.freedesktop.login1.inhibit-block-shutdown no:yes:yes
/etc/polkit-default-privs.restrictive:org.freedesktop.login1.inhibit-delay-shutdown yes
/etc/polkit-default-privs.standard:org.opensuse.yast.system.power-management.shutdown no
/etc/polkit-default-privs.standard:org.freedesktop.login1.inhibit-block-shutdown no:yes:yes
/etc/polkit-default-privs.standard:org.freedesktop.login1.inhibit-delay-shutdown yes
On Sun 12 Apr 2015 03:06:01 PM CDT, nu2openS wrote:
Fgrep found this:
Code:
/etc/polkit-default-privs.restrictive:org.opensuse.yast.system.power-management.shutdown
no /etc/polkit-default-privs.restrictive:org.freedesktop.login1.inhibit-block-shutdown
no:yes:yes /etc/polkit-default-privs.restrictive:org.freedesktop.login1.inhibit-delay-shutdown
yes /etc/polkit-default-privs.standard:org.opensuse.yast.system.power-management.shutdown
no /etc/polkit-default-privs.standard:org.freedesktop.login1.inhibit-block-shutdown
no:yes:yes /etc/polkit-default-privs.standard:org.freedesktop.login1.inhibit-delay-shutdown
yes --------------------
Hi
Have a read of the DISPLAYMANAGER_SHUTDOWN comments, should be set to
auto and then tweaked in the polikit-default-privs mechanism. Try auto
first and see how that goes. Probably pay to re-edit visudo as well to
remove the entry.
Cheers Malcolm °¿° LFCS, SUSE Knowledge Partner (Linux Counter #276890)
SUSE Linux Enterprise Desktop 12 GNOME 3.10.1 Kernel 3.12.39-47-default
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below… Thanks!
As far as I understand the comment to DISPLAYMANAGER_SHUTDOWN it means that this config item only applies to KDM and not to GDM. And “auto” in combination with PERMISSION_SECURITY set to “secure local” would mean that only root can shutdown - exactly the opposite of what I am looking for, thus I doubt that “auto” would be the correct setting.
GDM, as you pointed out, uses polkit-default-privs according to the comment. But what tweak do you mean?
I tried the following without success:
I added “org.opensuse.yast.system.power-management.shutdown yes” to “/etc/polkit-default-privs.local” and applied the change by running “sudo set_polkit_default_privs”.
I also tried to add “org.freedesktop.ConsoleKit.Manager.Stop yes” instead, but no change to the behavior. I also tested both with and without the entry in visudo. I also gave switching to “auto” instead of “all” a try, but with no result.
Yes, and the root password dialog should tell you what exact polkit rule requires you to enter the password.
So have a look there and then override the corresponding rule to /etc/polkit-default-privs.local (run set_polkit_default_privs to apply the change).
I think it is “org.freedesktop.login1.power-off” for shutting down.
If you only want to allow it for specific users, this should be doable as well via custom javascript code in /etc/polkit-1/rules.d/ but I have never tried to do this myself.
This should give some clues though:
https://wiki.archlinux.org/index.php/Polkit#Bypass_password_prompt
PS: visudo/sudoers is only used/respected by sudo. polkit is totally independent of that though.
Well the poweroff screen doesn’t provide any hint on the corresponding rule (it only states that authentication is required: Authentication is required for powering off the system.).
Adding “org.freedesktop.login1.power-off yes” to /etc/polkit-default-privs.local didn’t work either.
But the JavaScript you pointed me to was an eye-opener. Here is the solution that worked out for me: I added the following JavaScript code to the new file /etc/polkit-1/rules.d/49-nopasswd_shutdown.rules:
/* Allow members of the users group to shutdown or restart
* without password authentication.
*/
polkit.addRule(function(action, subject) {
if ((action.id == "org.freedesktop.login1.power-off" ||
action.id == "org.freedesktop.login1.reboot") &&
subject.isInGroup("users"))
{
return polkit.Result.YES;
}
});
Well, now I understand why no average user will never ever switch from Windows to Linux as a desktop - after 20+ years of development even such simple tasks as this one still requires coding
But the polkit dialog that shows inside GNOME should tell you. At least the KDE one does if you click on “Details”.
Adding “org.freedesktop.login1.power-off yes” to /etc/polkit-default-privs.local didn’t work either.
Did you run “set_polkit_default_privs” afterwards?
Well, now I understand why no average user will never ever switch from Windows to Linux as a desktop - after 20+ years of development even such simple tasks as this one still requires coding
Well, I wouldn’t know how to do that in Windows either…
And an “average user” should not have the necessity to set the system polkit permissions to “secure” (which is not intended for desktop usage anyway) while still allowing users to shutdown without password.
Maybe a misunderstanding on my side, but I thought that “secure” is to be used when the computer is connected to a networked environment and multiple users share the same computer - actually my default setup at home.
Can’t say about Gnome at all but in KDE there is a setting that allows users to shut down. I don’t know if this is a KDM only thing or not
Configure Desktop - Login Screen - Shutdown