PDA

View Full Version : reboot and shutdown as simple user (permissions) SLES 11 SP2



animati
04-Mar-2013, 17:32
How could I give just reboot and shutdown permissions to a simple user in SLES 11 SP2?

animati
04-Apr-2013, 15:51
does anybody has a answers?

jmozdzen
04-Apr-2013, 16:21
Hi animati,

> does anybody has a answers?

Probably, but first some questions:

What are you after? A way to permit users to shutdown/restart the system via CLI? Via login screen? Or were you looking for a different limitation, like "just reboot & shutdown, but not switching to a different run level"?

Regards,
Jens

animati
04-Apr-2013, 17:01
via CLI and via login screen.

jmozdzen
04-Apr-2013, 17:13
Hi animati,

via CLI: Creating the proper "sudo" permissions may help - the commands I would include are "/sbin/shutdown -h now" and "/sbin/shutdown -r now", YMMV.

Login screen: have a look at "DISPLAYMANAGER_SHUTDOWN" in /etc/sysconfig/displaymanager, the comment section documents the options available.

With regards,
Jens

animati
04-Apr-2013, 22:09
via CLI do you mean add commands in "visudo"?

Via login screen I changed to DISPLAYMANAGER_SHUTDOWN="all" BUT when I shutdown and then shut down or restart, ask for root password yet!

jmozdzen
04-Apr-2013, 22:25
Hi animati,


via CLI do you mean add commands in "visudo"?

Yes, manual edits are best done via "visudo", which updates the file "/etc/sudoers". If you store sudo permissions i.e. in LDAP, you'll have to use a different tool, though.


Via login screen I changed to DISPLAYMANAGER_SHUTDOWN="all" BUT when I shutdown and then shut down or restart, ask for root password yet!

Have you run "SuSEconfig" before restarting, so the actual config files were updated?

Regards,
Jens

animati
04-Apr-2013, 22:47
yes, I run "SuSEconfig".
I tried also changing this in YaST->Security Center and Hardening->BootSettings-> Shuttdown Behaviour of Login Manager = All Users

BUT not work

jmozdzen
04-Apr-2013, 22:56
Hi animati,

this then sounds like a bug to me, unless I have overlooked something. I'm without access to our test bed atm, so I cannot verify this myself. If you're covered by a support contract, you might consider opening a ticket.

Regards,
Jens

animati
04-Apr-2013, 23:08
I'm not covered anymore... this problem exists I think one year or more.

THE BIG problem is: when try to reboot or shutdown as not root user ask for root password.

jmozdzen
05-Apr-2013, 13:05
Hi animati,

I cannot confirm the bug - my test server just rebooted when told so in the KDM menu. No logged-in user of course, and no question for a root passord. Just a plain reboot, as expected.

It seems there's something else that is prohibiting this in your environment?

What display manager are you using at that stage - xdm or kdm or something else? Any output in any of the logs that may point to some cause?

Regards,
Jens

animati
05-Apr-2013, 21:34
look these 3 images: http://imageshack.us/g/843/18940956.png/

I'm logged as single user.
First I entered YaST (ask root password) and set reboot for all users;
And than as single user ask for reboot/shutdown.... ask root password AGAIN.

jmozdzen
07-Apr-2013, 14:14
Hi animati,

seems my last reply got lost. If this is a duplicate, please disregard.

We're talking about completely different things. The permission you're setting per your first screen shot (which is the one I was referencing in my post, /etc/sysconfig/displaymanager:DISPLAYMANAGER_SHUTDOWN) is for the login manager (which is mentioned in the setting's caption per your screen shot ;) ) - it permits a user to shut down the system from the login screen. "Alt-S" will take you to that shut down menu, unless you're connecting from remote.

What you're trying to invoke per your second screen shot is, AFAICT, controlled per policykit permissions. Have a look at org.freedesktop.consolekit.system.restart and org.freedesktop.consolekit.system.stop. There are "-multiple-users" instances of these permissions, too, but that's not what you'd give ordinary users.

Regards,
Jens

animati
09-Apr-2013, 21:41
yes, we had a disagreement. ;)

now, we have /etc/polkit-default-privs.standard and /etc/polkit-default-privs.restrictive.

Both have:

# should be consistent with hal
org.freedesktop.consolekit.system.stop auth_admin_keep_always:auth_admin_keep_always:yes
org.freedesktop.consolekit.system.stop auth_admin_keep_always:auth_admin_keep_always:yes
org.freedesktop.consolekit.system.stop-multiple-users auth_admin:auth_admin:yes
org.freedesktop.consolekit.system.restart auth_admin:auth_admin:yes
org.freedesktop.consolekit.system.restart-multiple-users auth_admin_keep_always:auth_admin_keep_always:yes

and also:

# shutdown/reboot should be consistent with consolekit
org.freedesktop.hal.power-management.shutdown auth_admin_keep_always:auth_admin_keep_always:yes
org.freedesktop.hal.power-management.shutdown-multiple-sessions auth_admin:auth_admin:yes
org.freedesktop.hal.power-management.reboot auth_admin:auth_admin:yes
org.freedesktop.hal.power-management.reboot-multiple-sessions auth_admin_keep_always:auth_admin_keep_always:yes


Which line should I edit for shutdown and which line for reboot?

Each policy has "AAA:BBB:CCC" or just "AAA" (example: auth_admin_keep_always:auth_admin_keep_always:yes)
What does it means? (AAA, BBB and CCC)?

animati
09-Apr-2013, 22:55
yes, we had a disagreement. ;)

now, we have /etc/polkit-default-privs.standard and /etc/polkit-default-privs.restrictive.

Both have:

# should be consistent with hal
org.freedesktop.consolekit.system.stop auth_admin_keep_always:auth_admin_keep_always:yes
org.freedesktop.consolekit.system.stop auth_admin_keep_always:auth_admin_keep_always:yes
org.freedesktop.consolekit.system.stop-multiple-users auth_admin:auth_admin:yes
org.freedesktop.consolekit.system.restart auth_admin:auth_admin:yes
org.freedesktop.consolekit.system.restart-multiple-users auth_admin_keep_always:auth_admin_keep_always:yes

and also:

# shutdown/reboot should be consistent with consolekit
org.freedesktop.hal.power-management.shutdown auth_admin_keep_always:auth_admin_keep_always:yes
org.freedesktop.hal.power-management.shutdown-multiple-sessions auth_admin:auth_admin:yes
org.freedesktop.hal.power-management.reboot auth_admin:auth_admin:yes
org.freedesktop.hal.power-management.reboot-multiple-sessions auth_admin_keep_always:auth_admin_keep_always:yes


Which line should I edit for shutdown and which line for reboot?

Each policy has "AAA:BBB:CCC" or just "AAA" (example: auth_admin_keep_always:auth_admin_keep_always:yes)
What does it means? (AAA, BBB and CCC)?

jmozdzen
10-Apr-2013, 10:57
Hi animati,

the triplet describes the settings for "any session", "inactive session" and "active session". See for example http://doc.opensuse.org/documentation/html/openSUSE_113/opensuse-security/cha.security.policykit.html#sec.security.policykit .change.modify_config.implicit , which includes a description of commands to invoke once you've changed your settings. Be aware that this doc is for openSUSE 11.3 - I'm not in the position for a proper web search right now, which I'm sure you'd be able to perform yourself if you find any indication that your system works differently.

While I have not found any explicit documentation on the other syntax (a single value AAA), I'm confident that it will simple configure "any session", without any overrides for inactive or active session... a short cut for AAA:AAA:AAA.

Regards,
Jens

animati
10-Apr-2013, 17:32
works!!

thanks a lot and regards...