Roderick Johnstone wrote:
After reading up a bit on the policykit docs I have tried two
things,
neither of which have worked:
1) Edited /usr/share/polkit-1/actions/org.freedesktop.login1.policy and
changed the line in the <action id="org.freedesktop.login1.reboot">
section from:
<allow_active>yes</allow_active>
to
<allow_active>no</allow_active>
ie expecting my test account to be disallowed from running the reboot
option.
I would have expected this to work too, but the policykit daemon may not
parse this initial config after startup (try rebooting after making the
change?)
Unfortunately, this will disallow *everyone* from rebooting, possibly
including root, so be careful.
This isn't the way to go though, see below.
2) Added a file: 52-org.freedesktop.login1.xray.rules to
/etc/polkit-1/rules.d/ which contains:
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.login1.reboot" &&
!subject.isInGroup("admin")) {
return polkit.Result.AUTH_ADMIN;
}
});
ie expecting my test account to be prompted for a root password in this
case.
In both cases my test account can just restart the system.
Right, you followed
something like
https://ask.fedoraproject.org/en/question/35143/how-can-i-configure-polki...
by putting a snippet into /etc/polkit-1/rules.d/
This is the prefered way to do it. Not sure why it didn't work for you,
maybe try configuring to deny access first and see if that works?
-- Rex