Hello! Halt on Linux is disabled for average user by default. It will try to request sudo/root password and if fails returns:
sasha@fedora:~$ systemctl halt
Call to Halt failed: Access denied
How can I make same behavior for poweroff action? I know it is possible somehow via PolicyKit rulle
Edit the sudoers file.
## user is allowed to execute halt and reboot whateverusername ALL=NOPASSWD: /sbin/halt, sbin/reboot, /sbin/poweroffJust make sure to use visudo
Indeed
The relevant polkit policies should be defined here: https://github.com/systemd/systemd/blob/main/src/login/org.freedesktop.login1.policy
Disabling is done with some rules like this: https://bbs.archlinux.org/viewtopic.php?id=152565
polkit.addRule(function(action, subject) { if (action.id.indexOf("org.freedesktop.login1.power-off") == 0) { return polkit.Result.AUTH_ADMIN; } });Some other examples: https://gist.github.com/grawity/3886114
Thank you, it works! But I got weird behavior:
- User sddm also cannot execute poweroff (it is ok) but if I press shutdown button in sddm it will poweroff (not ok).
- If I press shut down in KDE Plasma I will get black screen and no sddm (I can restart it with
systemctl restart sddmfrom tty and it will work again) How can I fix this bugs?
Sorry, I have no idea.
What if you try another interface, like
shutdown -P noworpoweroff -p?They all operates some way through systemd, so if operation is disabled via policy you cannot bypass it.
sasha@fedora:~$ /sbin/halt Call to Halt failed: Interactive authentication required.
What about
systemctl poweroff?Well, the logic in polkit is, if you have direct physical access to the machine (not SSH, actual keyboard, and so on), in general nothing stops you from just pressing and holding the power button. So giving a local user the right doesn’t make worse.
To disable the behaviour you need to find the appropriate polkit rule in
/usr/{lib,share}/polkit-1/rules.dand create a file with the same name in/etc/polkit-1/rules.dpointing to/dev/null.
