I’m mostly interested in disabling the command to create a root shell ‘machinectl shell @root’. Attempting to ‘systemctl disable systemd-machined’ doesn’t work.
Edit:
After some more poking, it seems polkit is the way to do it. Create the file /etc/polkit-1/rules.d/10-deny-machinectl.rules
and add the following
polkit.addRule(function(action, subject) {
if (action.id.startsWith("org.freedesktop.machine1.")) {
return polkit.Result.NO;
}
});
The list of all actions you can filter on are in /usr/share/polkit-1/actions/org.freedesktop.machine1.policy
The worst is that if the ‘wheel’ group is empty, it will give a root shell to absolutely anyone.
Amazing security 😅