Re: [blfs-support] Why can't I power off or reboot from X without a password?

Sun, 17 Aug 2014 11:23:16 -0700 

On 17/08/14 14:09, Hazel Russman wrote:

I am running BLFS7.5 with systemd. I also have polkit installed and am using 
lxpolkit as my graphical authentication agent. I don't have a display manager; 
I start up my Fluxbox desktop with startx.

On a console I can power off or reboot without giving a password because I am 
the sole user of the system. But when I do the same thing in X, either from a 
terminal or using the Fluxbox menu, I get asked to authenticate. I can use my 
own password as I am a member of the wheel group, but it's still an extra step 
that I could do without. How do I configure polkit to work the same way in X as 
in the console?

For information, here is the relevant section from the login policy file:

        <action id="org.freedesktop.login1.power-off">
                 <description>Power off the system</description>
                 <message>Authentication is required for powering off the 
system.</message>
                 <defaults>
                         <allow_any>auth_admin_keep</allow_any>
                         <allow_inactive>auth_admin_keep</allow_inactive>
                         <allow_active>yes</allow_active>
                 </defaults>
         </action>

Am I not an "active user" when I'm in X?
Roughly speaking, logind (and its predecessor, consolekit) only considers you to be in an active session if it is invoked from a trusted login client, e.g. a display manager, such as GDM, or PAM (with provisos), otherwise there's a serious security hole (e.g. it can't even tell if you are local or remote, and a remote (e.g. via ssh) user shouldn't be allowed to initiate an active local session). Therefore, if you just use plain startx, it will not mark the session as active. 

See this Debian bug report for more info:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=747882
The easiest work-around (at least for consolekit, and presumably also for logind) is probably to override the polkit policy file with a rule file in /etc/polkit-1/rules.d/, as described in the polkit man page. (And ditto for suspend/hibernate if you use them, and anything else using polkit) 

David


--
http://lists.linuxfromscratch.org/listinfo/blfs-support
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Reply via email to