Re: [systemd-devel] systemctl reboot/halt with non-privilege user
On Wed, 28 Oct 2020 at 14:11:07 +0200, Mantas Mikulėnas wrote: > I'm not entirely sure why reboot is treated differently from halt, though. If you reboot a machine, it will (hopefully!) come back up after some downtime, so it's a limited level of denial of service and might make sense to restrict a little less than poweroff and halt. If you power off a machine, someone needs to go and press the power button to bring it back up (unless you have proper server infrastructure with remote-power-cycle capabilities), so it's a stronger denial-of-service if this happens on a remote machine. If you halt a machine, it will halt the OS kernel and hang (not fully powered-off, still consuming power) which in my experience is rarely what you actually wanted, but the practical impact is similar to poweroff. smcv ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] systemctl reboot/halt with non-privilege user
[user@host ~]$ systemctl poweroff >> >> AUTHENTICATING FOR org.freedesktop.login1.set-wall-message >> >> Authentication is required to set a wall message >> >> Authenticating as: root >> >> Password >> > UPDATED: some of folks just kindly remind me that polkit configuration will be the key, I've some quick tests over it | command |response | |systemctl reboot locally | reboot without prompt | |systemctl halt locally | halt with prompt | |systemctl reboot via ssh | reboot with prompt | so the case should not be worse than i think, at least you can't do it remotely. might consider it a small flaw when you use it as PC rather as server. also thank you for sharing such good resources :) -- Liu An ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] systemctl reboot/halt with non-privilege user
Hi, > > > Is it default behavior by design? I dont think a non-privileged user > > could reboot the system as he/she wishes. > > > > btw, I'm in an HPC related domain, if this behavior of systemctl is > > allowed, every single user could reboot the whole cluster as they wish, > > it's a disaster. > > https://bbs.archlinux.org/viewtopic.php?id=152565 > Thank you for the information. I'm not good at polkit, and will spend some time diving into the configuration -- Liu An ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] systemctl reboot/halt with non-privilege user
Hi, > It really depends on the policykit setup. > it is, I'm sure even i'm not good at polkit (or even i didn't know polkit, i still believe there is some config control over this) i'm saying of the default behavior after installation. > > e.g. if the user is in the wheel group, they may have additional > privileges by virtue of that. > > On my systems (centos 8 here) policykit will prompt for the root password: > > [user@host ~]$ systemctl poweroff > > AUTHENTICATING FOR org.freedesktop.login1.set-wall-message > > Authentication is required to set a wall message > > Authenticating as: root > > Password: > > while my systemctl halt prompt the 'same as system shutdowm' you mentioned did you try systemctl reboot (if you didn't adjust polkit config from the default one) It's really strange to have a non-privileged user reboot access by default, isn't. AN ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] systemctl reboot/halt with non-privilege user
On Wed, Oct 28, 2020, 13:40 An Liu wrote: > Hi, folks, > > I used to type systemctl reboot with non-privileged users, and to my > surprise, the system goes down for the reboot. > > I've tested in both debian and centos 7, they act the same, however, > systemctl halt will prompt you to enter administrator password to continue. > > Is it default behavior by design? > Yes, but... Depends on whether the user is doing it locally or remotely, and whether they're the only person who's logged in or whether there are other users as well. There are different rules in systemd for these cases. I'm not entirely sure why reboot is treated differently from halt, though. >From my experience, *neither* is allowed over remote (SSH) sessions by default. I dont think a non-privileged user could reboot the system as he/she > wishes. > It hasn't been true for a long time that a user is either fully privileged or not privileged at all, and nothing in between. For example, in the case of systemctl, locally logged in users are allowed to call `systemctl poweroff` because they could just as well pull the plug. But the exact same user, logged in via SSH, will not be allowed it. In most everyday installations (talking about other operating systems), rebooting the local system is a default privilege that even "unprivileged" users have... And I do think that defaults should be suitable for the majority, leaving the burden of customization to unusual sites (kiosks, clusters) – not the other way around. > btw, I'm in an HPC related domain, if this behavior of systemctl is > allowed, every single user could reboot the whole cluster as they wish, > it's a disaster. > Then don't allow it. Change your polkit (PolicyKit) rules to block all reboot-related actions. (Check the journal to see which specific action was authorized, though – the same reboot command can use a few different action IDs to apply different rules.) If CentOS uses JS-based rules, here are some examples: https://gist.github.com/grawity/3886114 Debian's polkit uses the older .pkla format, which is simpler but I don't have a good example on hand. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] systemctl reboot/halt with non-privilege user
Hello, An Liu wrote on 28/10/2020 11:40: > Hi, folks, > > I used to type systemctl reboot with non-privileged users, and to my > surprise, the system goes down for the reboot. > > I've tested in both debian and centos 7, they act the same, however, > systemctl halt will prompt you to enter administrator password to continue. > > Is it default behavior by design? I dont think a non-privileged user > could reboot the system as he/she wishes. > > btw, I'm in an HPC related domain, if this behavior of systemctl is > allowed, every single user could reboot the whole cluster as they wish, > it's a disaster. It really depends on the policykit setup. e.g. if the user is in the wheel group, they may have additional privileges by virtue of that. On my systems (centos 8 here) policykit will prompt for the root password: [user@host ~]$ systemctl poweroff AUTHENTICATING FOR org.freedesktop.login1.set-wall-message Authentication is required to set a wall message Authenticating as: root Password: I can't recall off hand, but if the user was in the wheel group, then I think it would still prompt for a password, but would ask for the user password. These are via SSH, but policykit also has overrides for users logged in locally. As these guys have physical access to the machine, they might be allowed to do certain things, like reboot etc. as they have access to the plug anyway, it's not really any additional security concern. So, ultimately, my advice is to check your policykit setup and see what the policy is. Col PS, I did spot an awesome security bug in an old redhat security tool a few years back (I think it was called sectool) which installed a bogus policy file which basically gave users full rights to things like service management and reboot etc, so it's possible a rogue/buggy policy file from an unrelated package is causing this behaviour too. -- Colin Guthrie gmane(at)colin.guthr.ie https://colin.guthr.ie/ Day Job: Tribalogic Limited https://www.tribalogic.net/ ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] systemctl reboot/halt with non-privilege user
Hi, folks, I used to type systemctl reboot with non-privileged users, and to my surprise, the system goes down for the reboot. I've tested in both debian and centos 7, they act the same, however, systemctl halt will prompt you to enter administrator password to continue. Is it default behavior by design? I dont think a non-privileged user could reboot the system as he/she wishes. btw, I'm in an HPC related domain, if this behavior of systemctl is allowed, every single user could reboot the whole cluster as they wish, it's a disaster. -- Liu An ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel