1:18 p.m.
Create custom policykit configuration to limit those actions, per
http://www.freedesktop.org/wiki/Software/systemd/logind/
by default, local/console users have permission for all login1 actions, including:
org.freedesktop.login1.power-off
org.freedesktop.login1.reboot
org.freedesktop.login1.suspend
org.freedesktop.login1.hibernate
-- Rex
________________________________________
From: kde-bounces(a)lists.fedoraproject.org <kde-bounces(a)lists.fedoraproject.org> on
behalf of Roderick Johnstone <rmj(a)ast.cam.ac.uk>
Sent: Thursday, April 16, 2015 12:15 PM
To: kde(a)lists.fedoraproject.org
Subject: Removing system items from Leave menu in Plasma 5
Hi
I'd like to remove the System items (Sleep, hibernate, restart and
shutdown) from the Leave menu in Application Launcher on Plasma 5 on a
system-wide basis.
How would I do that please?
Thanks
Roderick Johnstone
_______________________________________________
kde mailing list
kde(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/kde
New to KDE4? - get help from http://userbase.kde.org
11:46 a.m.
New subject: Removing system items from Leave menu in Plasma 5
After reading up a bit on the policykit docs I have tried two things,
neither of which have worked:
1) Edited /usr/share/polkit-1/actions/org.freedesktop.login1.policy and
changed the line in the <action id="org.freedesktop.login1.reboot">
section from:
<allow_active>yes</allow_active>
to
<allow_active>no</allow_active>
ie expecting my test account to be disallowed from running the reboot
option.
2) Added a file: 52-org.freedesktop.login1.xray.rules to
/etc/polkit-1/rules.d/ which contains:
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.login1.reboot" &&
!subject.isInGroup("admin")) {
return polkit.Result.AUTH_ADMIN;
}
});
ie expecting my test account to be prompted for a root password in this
case.
In both cases my test account can just restart the system.
So, two questions?
1) Should I be changing the policy or adding the new rule (ie 1 or 2 above)?
2) If changing the policy, where is the right place to put my new policy
file, rather than changing the system installed one?
I'd appreciate some guidance or aid to debugging please.
Thanks
Roderick
On 16/04/15 19:18, Rex Dieter wrote:
Create custom policykit configuration to limit those actions, per
http://www.freedesktop.org/wiki/Software/systemd/logind/
by default, local/console users have permission for all login1 actions, including:
org.freedesktop.login1.power-off
org.freedesktop.login1.reboot
org.freedesktop.login1.suspend
org.freedesktop.login1.hibernate
-- Rex
________________________________________
From: kde-bounces(a)lists.fedoraproject.org <kde-bounces(a)lists.fedoraproject.org> on
behalf of Roderick Johnstone <rmj(a)ast.cam.ac.uk>
Sent: Thursday, April 16, 2015 12:15 PM
To: kde(a)lists.fedoraproject.org
Subject: Removing system items from Leave menu in Plasma 5
Hi
I'd like to remove the System items (Sleep, hibernate, restart and
shutdown) from the Leave menu in Application Launcher on Plasma 5 on a
system-wide basis.
How would I do that please?
Thanks
Roderick Johnstone
12:20 p.m.
New subject: Removing system items from Leave menu in Plasma 5
Roderick Johnstone wrote:
After reading up a bit on the policykit docs I have tried two
things,
neither of which have worked:
1) Edited /usr/share/polkit-1/actions/org.freedesktop.login1.policy and
changed the line in the <action id="org.freedesktop.login1.reboot">
section from:
<allow_active>yes</allow_active>
to
<allow_active>no</allow_active>
ie expecting my test account to be disallowed from running the reboot
option.
I would have expected this to work too, but the policykit daemon may not
parse this initial config after startup (try rebooting after making the
change?)
Unfortunately, this will disallow *everyone* from rebooting, possibly
including root, so be careful.
This isn't the way to go though, see below.
2) Added a file: 52-org.freedesktop.login1.xray.rules to
/etc/polkit-1/rules.d/ which contains:
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.login1.reboot" &&
!subject.isInGroup("admin")) {
return polkit.Result.AUTH_ADMIN;
}
});
ie expecting my test account to be prompted for a root password in this
case.
In both cases my test account can just restart the system.
Right, you followed
something like
https://ask.fedoraproject.org/en/question/35143/how-can-i-configure-polki...
by putting a snippet into /etc/polkit-1/rules.d/
This is the prefered way to do it. Not sure why it didn't work for you,
maybe try configuring to deny access first and see if that works?
-- Rex
5:48 a.m.
New subject: Removing system items from Leave menu in Plasma 5
On 17/04/15 18:20, Rex Dieter wrote:
Roderick Johnstone wrote:
> After reading up a bit on the policykit docs I have tried two things,
> neither of which have worked:
>
> 1) Edited /usr/share/polkit-1/actions/org.freedesktop.login1.policy and
> changed the line in the <action id="org.freedesktop.login1.reboot">
> section from:
> <allow_active>yes</allow_active>
> to
> <allow_active>no</allow_active>
>
> ie expecting my test account to be disallowed from running the reboot
> option.
I would have expected this to work too, but the policykit daemon may not
parse this initial config after startup (try rebooting after making the
change?)
Unfortunately, this will disallow *everyone* from rebooting, possibly
including root, so be careful.
This isn't the way to go though, see below.
> 2) Added a file: 52-org.freedesktop.login1.xray.rules to
> /etc/polkit-1/rules.d/ which contains:
> polkit.addRule(function(action, subject) {
> if (action.id == "org.freedesktop.login1.reboot" &&
> !subject.isInGroup("admin")) {
> return polkit.Result.AUTH_ADMIN;
> }
> });
>
> ie expecting my test account to be prompted for a root password in this
> case.
>
> In both cases my test account can just restart the system.
Right, you followed something like
https://ask.fedoraproject.org/en/question/35143/how-can-i-configure-polki...
by putting a snippet into /etc/polkit-1/rules.d/
Yes.
This is the prefered way to do it. Not sure why it didn't work for you,
maybe try configuring to deny access first and see if that works?
So, after some testing what I'm finding is that if I log into the KDE
session as my testing user and type reboot at a konsole prompt I get a
window inviting me to enter the root password.
This the the expected behaviour for how I have the system configured at
the moment, and I can change it if I alter my rule.
On the other hand, if I select reboot from the Application Launcher
Leave menu, it just reboots straight away.
Maybe the Leave menu items are using a different polkit action or
somehow bypassing polkit?
Any ideas?
Thanks.
Roderick
8:51 p.m.
New subject: Removing system items from Leave menu in Plasma 5
Roderick Johnstone wrote:
On the other hand, if I select reboot from the Application Launcher
Leave menu, it just reboots straight away.
Maybe the Leave menu items are using a different polkit action or
somehow bypassing polkit?
What display manager are you using? If you're still using KDM (which is from
Plasma 4, it was NOT ported to the Qt 5 and KDE Frameworks 5 libraries used
by Plasma 5), then KDM's own settings apply. (KDM runs as root and has its
own idea of what users to allow rebooting.)
Kevin Kofler
2:01 a.m.
New subject: Removing system items from Leave menu in Plasma 5
On 22/04/15 02:51, Kevin Kofler wrote:
Roderick Johnstone wrote:
> On the other hand, if I select reboot from the Application Launcher
> Leave menu, it just reboots straight away.
>
> Maybe the Leave menu items are using a different polkit action or
> somehow bypassing polkit?
What display manager are you using? If you're still using KDM (which is from
Plasma 4, it was NOT ported to the Qt 5 and KDE Frameworks 5 libraries used
by Plasma 5), then KDM's own settings apply. (KDM runs as root and has its
own idea of what users to allow rebooting.)
Kevin Kofler
I've recently migrated to sddm.
Just to be really sure there were no left overs, I've now uninstalled
the kdm packages.
The Leave menu still allows me to reboot without query, when logged in
as my testing user.
Roderick
3289
days inactive
3295
days old
5 comments
4 participants
participants (4)
-
Kevin Kofler -
Rex Dieter -
Rex Dieter -
Roderick Johnstone