I’m mostly interested in disabling the command to create a root shell ‘machinectl shell @root’. Attempting to ‘systemctl disable systemd-machined’ doesn’t work.

Edit:

After some more poking, it seems polkit is the way to do it. Create the file /etc/polkit-1/rules.d/10-deny-machinectl.rules and add the following

polkit.addRule(function(action, subject) {
   if (action.id.startsWith("org.freedesktop.machine1.")) {
         return polkit.Result.NO;
   }
});

The list of all actions you can filter on are in /usr/share/polkit-1/actions/org.freedesktop.machine1.policy

  • @mvirts
    link
    51 year ago

    I didn’t even know about machinectl. Thank you

    • @[email protected]OP
      link
      fedilink
      English
      21 year ago

      The worst is that if the ‘wheel’ group is empty, it will give a root shell to absolutely anyone.

      • @mvirts
        link
        01 year ago

        Amazing security 😅