Hello! Halt on Linux is disabled for average user by default. It will try to request sudo/root password and if fails returns:

sasha@fedora:~$ systemctl halt
Call to Halt failed: Access denied

How can I make same behavior for poweroff action? I know it is possible somehow via PolicyKit rulle

  • [email protected]
    134 months ago

    Edit the sudoers file.

    ## user is allowed to execute halt and reboot 
whateverusername ALL=NOPASSWD: /sbin/halt, sbin/reboot, /sbin/poweroff
  • @[email protected]
    84 months ago

    The relevant polkit policies should be defined here: https://github.com/systemd/systemd/blob/main/src/login/org.freedesktop.login1.policy

    Disabling is done with some rules like this: https://bbs.archlinux.org/viewtopic.php?id=152565

    polkit.addRule(function(action, subject) {
  if (action.id.indexOf("org.freedesktop.login1.power-off") == 0) {
    return polkit.Result.AUTH_ADMIN;
  }
});

    Some other examples: https://gist.github.com/grawity/3886114

    • @user_naaOP
      24 months ago

      Thank you, it works! But I got weird behavior:

      1. User sddm also cannot execute poweroff (it is ok) but if I press shutdown button in sddm it will poweroff (not ok).
      2. If I press shut down in KDE Plasma I will get black screen and no sddm (I can restart it with systemctl restart sddm from tty and it will work again) How can I fix this bugs?
        • @user_naaOP
          14 months ago

          SDDM main process is running as root and ignores all policies. So only way is modifying SDDM source code(

    • @user_naaOP
      54 months ago

      They all operates some way through systemd, so if operation is disabled via policy you cannot bypass it.

      sasha@fedora:~$ /sbin/halt
Call to Halt failed: Interactive authentication required.
  • pelya
    34 months ago

    What about systemctl poweroff ?

  • @[email protected]
    14 months ago

    Well, the logic in polkit is, if you have direct physical access to the machine (not SSH, actual keyboard, and so on), in general nothing stops you from just pressing and holding the power button. So giving a local user the right doesn’t make worse.

    To disable the behaviour you need to find the appropriate polkit rule in /usr/{lib,share}/polkit-1/rules.d and create a file with the same name in /etc/polkit-1/rules.d pointing to /dev/null.