I am thinking about policykit or other dangerous restrictions.
I think it is a very dangerous approach. It overrules root privileges and Linux security policy, as I see. So the system administrator with root privileges can not order direct commands to the machine (shutdown, reboot, init “x”, and so on), only with the systems’ permission. In this case the system developer can assemble such setup parameters which result lose the full control over the machine. It is also possible that somebody locks out the root from the machine by the policykit. Why is it necessary? It would result such machines what are not under human control…
Or i made some mistakes?
While your observations might be correct (I did not check all your the things you think are possible for lack of detail), your understanding is not quite right. The kernel allows pocesses run by owner with UID 0 (zero, and that UID has username: root) actions that the kernel does not allow to processes run by any other UID as owner. The use of policy kit (or any other method to run a process owned by root) does not alter that. Short: there is no overruling of root privileges.
The only thing might be that the way those processes (owned by root) are started and what they then perform on the base of which intricate bunch of configuration files is difficult to understand. And yes, using things that one does not fully understand might be dangerous. Specialy in the case where the consequences might be so dangerous and where those configuration files do configure things different from what you think as a save situation (or different from what the situation was earlier by default).
So the system administrator with root privileges can not order direct commands to the machine (shutdown, reboot, init “x”, and so on), only with the systems’ permission.
“shutdown -r now” works for me when logged in as root at a terminal. I haven’t tried it from an “xterm”. It also works when logged in via “ssh”, though in that case I would usually do:
take the X.Org example – I usually setup KDM such that remote users can not shutdown or reboot the machine – only possible from the local (physical) console.Must admit I haven’t (yet) taken a close look at the SDDM behaviour.
Another (programming) example: System Calls: given that I/O operations (for example disk read/write) are a kernel “THING”, why can a “normal” user read/write to a disk?The answer is: the System Library calls temporarily increase that user’s privileges to allow the read/write to happen.
[INDENT=2]I know, I know: it’s all queued and once that user’s call has been dropped into the queue then the privileges of the kernel’s queue manager take over.
[/INDENT]
And now, Polkit: it extends the mechanism of the System Library calls to processes which, IMHO, isn’t a bad thing but, like all very sharp tools, it needs to be used carefully (if one is to avoid having cut fingers).
And just to spice up this discussion, there’s the “sudo” issue in parallel to Polkit; except, that “sudo” is a little bit different and, from an administrative point-of-view, may be preferred (“Horses for Courses.”).
# which -a shutdown
/sbin/shutdown
# l /sbin/shutdown
lrwxrwxrwx 1 root root 18 28. Jan 18:49 /sbin/shutdown -> /usr/bin/systemctl*
# which -a init
/sbin/init
# l /sbin/init
lrwxrwxrwx 1 root root 26 28. Jan 18:49 /sbin/init -> ../usr/lib/systemd/systemd*
#
Which is why I replace the “standard” KDM commands to shutdown and reboot with the systemd commands.*Haven’t checked Leap 42.1 SDDM yet but, I suspect that it uses the systemd commands.
*
Personally I normally allow normal users to shutdown/reboot their desktop machines – the updates normally roll in via PackageKit anyway which is another reason for the desktop user to (occasionally) be able to reboot the box.
Server machines are a different: normally only shutdown/reboot by an Administrator standing physically at the server rack. Remote/unmanned data collection/control (server) machines are possibly a little bit different and it is often necessary to allow a remote administrator to reboot the boxes – with all the security complexities associated with that scenario . . .
I have different issues with polkit not working at all for inactive sessions. Because I think they share the same issue i will post one example first. AAP PunjabSucha singh chhotepur
man pkexec)