Skip to content

Polkitd (Policy Kit Daemon) in Trixie ... allowing remote users to suspend, reboot, power off the local system

Posted by Daniel Lange on
Debian

As per the previous Polkit blog post the policykit framwork has lost the ability to understand its own .pkla files and policies need to be expressed in Javascript with .rules files now.

To re-enable allowing remote users (think ssh) to reboot, hibernate, suspend or power off the local system, create a 10-shutdown-reboot.rules file in /etc/polkit-1/rules.d/:

polkit.addRule(function(action, subject) {
    if ((action.id == "org.freedesktop.login1.reboot-multiple-sessions" ||
         action.id == "org.freedesktop.login1.reboot" ||
         action.id == "org.freedesktop.login1.suspend-multiple-sessions" ||
         action.id == "org.freedesktop.login1.suspend" ||
         action.id == "org.freedesktop.login1.hibernate-multiple-sessions" ||
         action.id == "org.freedesktop.login1.hibernate" ||
         action.id == "org.freedesktop.login1.power-off-multiple-sessions" ||
         action.id == "org.freedesktop.login1.power-off") &&
        (subject.isInGroup("sudo") || (subject.user == "root")))
    {
        return polkit.Result.YES;
    }
});

and run systemctl restart polkit.

Trackbacks

No Trackbacks

Comments

Display comments as Linear | Threaded

Marcos Dione on :

subject.isInGroup("sudo") bypasses sudo authentication. I think I would just leave the root part, unless:

  • if the user runs the command with sudo; but
  • when this script is evaluated
  • subject.user is the real and effective user

BUG: your comment system seems to encode "double quotes" twice inside Markdown formatted texts :^)

Daniel Lange on :

I am just re-using the sudo group as that is the "trusted" admin group on Debian. Like what the wheel group is on Red Hat / Fedora.

Polkit has nothing to do with sudo, the command. It is a different way to elevate privileges. And that works well with Debian's /usr/sbin/reboot and /usr/sbin/poweroff which are symlinks to /bin/systemctl these days. Much better than allowing password-less sudo poweroff.

Daniel Lange on :

Fixed the bug, thank you for pointing it out!

Karellen on :

Nice practical example of polkit config, thanks.

I am slightly surprised by the need for || (subject.user == "root") - I'd have thought any root process, or with CAP_SYS_BOOT (/CAP_SYS_ADMIN) would be allowed to reboot the system regardless?

Also, giving a capability to members of the sudo group, but not via a sudoers NOPASSWD rule, seems like a recipe for confusion later? "Oh yeah, members of group sudo can do [action] without a password" ... checks sudo rules ... "How?!" Maybe using a separate auxiliary group for the example might make more sense?

Daniel Lange on :

root is typically not a member of the sudo group. Therefore the polkit check would not grant this user the password-less reboot and power off as intended via polkit. Of course the user can run reboot themselves and use a dozen other ways to reboot the system. But with another user logged in, polkit would even ask a remote root user for a password to allow rebooting. You can consider that a safety feature. Or annoying. In the latter case my polkit .rules file above is useful.

You may use a different group, if you want to. You can even check for specific users with:

if (subject.user == "daniel") {
    return polkit.Result.YES;
}

Use what fits your situation best.

Add Comment

Markdown format allowed
Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

Form options

Submitted comments will be subject to moderation before being displayed.