hello, I've got hundred of fedora19 station installed on computer lab for our students. these are self service multi-user stations, users needs to restart the station whenever they want to unfortunatly apparently "polkit" prevents them to restart when another user is (or had been ?) connected . I know it is a safe behavior, but we defenitively want to enable users to restart the station themself whenever they want to, but without requiring the root password ! indeed, often student leave the room without disconecting (bad !) , then the screen locks but still allows someone else to connect, but that second student then cannot restart :-( .
I've tried lot of things: http://askubuntu.com/questions/1190/how-can-i-make-shutdown-not-require-admi... apparently .pkla files a deprecated , and I confirmed that creating a /etc/polkit-1/localauthority/50-local.d/allow_all_users_to_restart.pkla containing Action=org.freedesktop.consolekit.system.restart-multiple-users AllowActive=yes doesn't work
then, from #fedora IRC I've been proposed to create rules in /etc/polkit-1/rules.d : http://paste.fedoraproject.org/36844/ [root@b06-02 rules.d]# cat 00-early-checks.rules /* Allow shutdown when others are logged in */ polkit.addRule(function(action, subject) { if (action.id == "org.freedesktop.consolekit.system.stop-multiple-users" || action.id == "org.freedesktop.consolekit.system.restart-multiple-users") { return polkit.Result.YES; } });
it still fails, when user click on their username on the top right corner of the gnome-session, schroll down to shutdown, then click restart, a window appears warning that there are other user conencted and that "authentification is required for rebooting the system while other users are logged in", and ends by asking to enter the "Administrator" password :-( Where can I remove that "feature" ?
Thanks
On 4 September 2013 11:02, Jehan PROCACCIA jehan.procaccia@tem-tsp.euwrote:
hello, I've got hundred of fedora19 station installed on computer lab for our students. these are self service multi-user stations, users needs to restart the station whenever they want to unfortunatly apparently "polkit" prevents them to restart when another user is (or had been ?) connected . I know it is a safe behavior, but we defenitively want to enable users to restart the station themself whenever they want to, but without requiring the root password ! indeed, often student leave the room without disconecting (bad !) , then the screen locks but still allows someone else to connect, but that second student then cannot restart :-( .
I've tried lot of things:
http://askubuntu.com/questions/1190/how-can-i-make-shutdown-not-require-admi... apparently .pkla files a deprecated , and I confirmed that creating a /etc/polkit-1/localauthority/50-local.d/allow_all_users_to_restart.pkla containing Action=org.freedesktop.consolekit.system.restart-multiple-users AllowActive=yes doesn't work
then, from #fedora IRC I've been proposed to create rules in /etc/polkit-1/rules.d : http://paste.fedoraproject.org/36844/ [root@b06-02 rules.d]# cat 00-early-checks.rules /* Allow shutdown when others are logged in */ polkit.addRule(function(action, subject) { if (action.id == "org.freedesktop.consolekit.system.stop-multiple-users" || action.id == "org.freedesktop.consolekit.system.restart-multiple-users") { return polkit.Result.YES; } });
it still fails, when user click on their username on the top right corner of the gnome-session, schroll down to shutdown, then click restart, a window appears warning that there are other user conencted and that "authentification is required for rebooting the system while other users are logged in", and ends by asking to enter the "Administrator" password :-( Where can I remove that "feature" ?
Thanks
IIUC, the actions you need to authenticate are: org.freedesktop.login1.power-off-multiple-sessions org.freedesktop.login1.reboot-multiple-sessions
have a look at /usr/share/polkit-1/actions/org.freedesktop.login1.policy.
FWIW, usually polkit authentication propmpts are logged in the system logs, either check /var/log/messages, or `journalctl -bn` (executed after polkitd prompted for authentication).
-- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Jehan PROCACCIA wrote:
hello, I've got hundred of fedora19 station installed on computer lab for our students. these are self service multi-user stations, users needs to restart the station whenever they want to unfortunatly apparently "polkit" prevents them to restart when another user is (or had been ?) connected . I know it is a safe behavior, but we defenitively want to enable users to restart the station themself whenever they want to, but without requiring the root password ! indeed, often student leave the room without disconecting (bad !) , then the screen locks but still allows someone else to connect, but that second student then cannot restart :-( .
I've tried lot of things: http://askubuntu.com/questions/1190/how-can-i-make-shutdown-not-require-admi... apparently .pkla files a deprecated , and I confirmed that creating a /etc/polkit-1/localauthority/50-local.d/allow_all_users_to_restart.pkla containi
ng Action=org.freedesktop.consolekit.system.restart-multiple-users
AllowActive=yes doesn't work
then, from #fedora IRC I've been proposed to create rules in /etc/polkit-1/rules.d : http://paste.fedoraproject.org/36844/ [root@b06-02 rules.d]# cat 00-early-checks.rules /* Allow shutdown when others are logged in */ polkit.addRule(function(action, subject) { if (action.id == "org.freedesktop.consolekit.system.stop-multiple-users" || action.id == "org.freedesktop.consolekit.system.restart-multiple-users") { return polkit.Result.YES; } });
it still fails, when user click on their username on the top right corner of the gnome-session, schroll down to shutdown, then click restart, a window appears warning that there are other user conencted and that "authentification is required for rebooting the system while other users are logged in", and ends by asking to enter the "Administrator" password :-( Where can I remove that "feature" ?
1 - Do the students ever have to initiate a long running job and wait for results? If so, having someone else reboot the machine is not desirable.
2 - It might be better to just log out idle users.
3 - However, if it is your intention to let any user reboot at any time, use visudo to add a line: %booters ALL=(ALL) NOPASSWD: /sbin/reboot so the next student could log in and reboot from command line with sudo su /sbin/reboot Note that this requires putting all students allowed to do this (all of them?) into a secondary group allowed to reboot.
My though is that there is a reason why this isn't the default, if there is no legitimate use which justifies not rebooting, you certainly can do that. In particular, you probably don't want people logging in remotely and just rebooting the machine, students have been known to prank one another.
Le 04/09/2013 11:38, Ahmad Samir a écrit :
On 4 September 2013 11:02, Jehan PROCACCIA <jehan.procaccia@tem-tsp.eu mailto:jehan.procaccia@tem-tsp.eu> wrote:
hello, I've got hundred of fedora19 station installed on computer lab for our students. these are self service multi-user stations, users needs to restart the station whenever they want to unfortunatly apparently "polkit" prevents them to restart when another user is (or had been ?) connected . I know it is a safe behavior, but we defenitively want to enable users to restart the station themself whenever they want to, but without requiring the root password ! indeed, often student leave the room without disconecting (bad !) , then the screen locks but still allows someone else to connect, but that second student then cannot restart :-( . I've tried lot of things: http://askubuntu.com/questions/1190/how-can-i-make-shutdown-not-require-admin-password apparently .pkla files a deprecated , and I confirmed that creating a /etc/polkit-1/localauthority/50-local.d/allow_all_users_to_restart.pkla containing Action=org.freedesktop.consolekit.system.restart-multiple-users AllowActive=yes doesn't work then, from #fedora IRC I've been proposed to create rules in /etc/polkit-1/rules.d : http://paste.fedoraproject.org/36844/ [root@b06-02 rules.d]# cat 00-early-checks.rules /* Allow shutdown when others are logged in */ polkit.addRule(function(action, subject) { if (action.id <http://action.id> == "org.freedesktop.consolekit.system.stop-multiple-users" || action.id <http://action.id> == "org.freedesktop.consolekit.system.restart-multiple-users") { return polkit.Result.YES; } }); it still fails, when user click on their username on the top right corner of the gnome-session, schroll down to shutdown, then click restart, a window appears warning that there are other user conencted and that "authentification is required for rebooting the system while other users are logged in", and ends by asking to enter the "Administrator" password :-( Where can I remove that "feature" ? ThanksIIUC, the actions you need to authenticate are: org.freedesktop.login1.power-off-multiple-sessions org.freedesktop.login1.reboot-multiple-sessions
yes ! that was it, instead of org.freedesktop.consolekit.system.restart-multiple-users it is org.freedesktop.login1.reboot-multiple-sessions that must be set to YES . I tried that with success Thanks a lot .
however, it is confusing those two "items" consolekit.system.restart-multiple-users and login1.reboot-multiple-sessions, what is the difference between them ?
have a look at /usr/share/polkit-1/actions/org.freedesktop.login1.policy.
FWIW, usually polkit authentication propmpts are logged in the system logs, either check /var/log/messages, or `journalctl -bn` (executed after polkitd prompted for authentication).
-- users mailing list users@lists.fedoraproject.org <mailto:users@lists.fedoraproject.org> To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org-- Ahmad Samir
Le 04/09/2013 17:08, Bill Davidsen a écrit :
Jehan PROCACCIA wrote:
hello, I've got hundred of fedora19 station installed on computer lab for our students. these are self service multi-user stations, users needs to restart the station whenever they want to unfortunatly apparently "polkit" prevents them to restart when another user is (or had been ?) connected . I know it is a safe behavior, but we defenitively want to enable users to restart the station themself whenever they want to, but without requiring the root password ! indeed, often student leave the room without disconecting (bad !) , then the screen locks but still allows someone else to connect, but that second student then cannot restart :-( .
I've tried lot of things: http://askubuntu.com/questions/1190/how-can-i-make-shutdown-not-require-admi...
apparently .pkla files a deprecated , and I confirmed that creating a /etc/polkit-1/localauthority/50-local.d/allow_all_users_to_restart.pkla containi
ng Action=org.freedesktop.consolekit.system.restart-multiple-users
AllowActive=yes doesn't work
then, from #fedora IRC I've been proposed to create rules in /etc/polkit-1/rules.d : http://paste.fedoraproject.org/36844/ [root@b06-02 rules.d]# cat 00-early-checks.rules /* Allow shutdown when others are logged in */ polkit.addRule(function(action, subject) { if (action.id == "org.freedesktop.consolekit.system.stop-multiple-users" || action.id == "org.freedesktop.consolekit.system.restart-multiple-users") { return polkit.Result.YES; } });
it still fails, when user click on their username on the top right corner of the gnome-session, schroll down to shutdown, then click restart, a window appears warning that there are other user conencted and that "authentification is required for rebooting the system while other users are logged in", and ends by asking to enter the "Administrator" password :-( Where can I remove that "feature" ?
1 - Do the students ever have to initiate a long running job and wait for results? If so, having someone else reboot the machine is not desirable.
2 - It might be better to just log out idle users.
3 - However, if it is your intention to let any user reboot at any time, use visudo to add a line: %booters ALL=(ALL) NOPASSWD: /sbin/reboot so the next student could log in and reboot from command line with sudo su /sbin/reboot Note that this requires putting all students allowed to do this (all of them?) into a secondary group allowed to reboot.
My though is that there is a reason why this isn't the default, if there is no legitimate use which justifies not rebooting, you certainly can do that. In particular, you probably don't want people logging in remotely and just rebooting the machine, students have been known to prank one another.
unfortunatly , some user never use a terminal and would'nt know how to use a command line as "sudo su /sbin/reboot" the purpose here was to enable restart from the drop down menu withing the gnome session . as ahmad samir replied earlier, I have the solution with setting this: [root@b06-01 ~]# cat /etc/polkit-1/rules.d/00-early-checks.rules /* Allow shutdown when others are logged in */ polkit.addRule(function(action, subject) { if (action.id == "org.freedesktop.login1.reboot-multiple-sessions" || action.id == "org.freedesktop.login1.power-off-multiple-sessions") { return polkit.Result.YES; } });
thanks .
Jehan Procaccia wrote:
Le 04/09/2013 17:08, Bill Davidsen a écrit :
Jehan PROCACCIA wrote:
hello, I've got hundred of fedora19 station installed on computer lab for our students. these are self service multi-user stations, users needs to restart the station whenever they want to unfortunatly apparently "polkit" prevents them to restart when another user is (or had been ?) connected . I know it is a safe behavior, but we defenitively want to enable users to restart the station themself whenever they want to, but without requiring the root password ! indeed, often student leave the room without disconecting (bad !) , then the screen locks but still allows someone else to connect, but that second student then cannot restart :-( .
I've tried lot of things: http://askubuntu.com/questions/1190/how-can-i-make-shutdown-not-require-admi...
apparently .pkla files a deprecated , and I confirmed that creating a /etc/polkit-1/localauthority/50-local.d/allow_all_users_to_restart.pkla containi
ng Action=org.freedesktop.consolekit.system.restart-multiple-users
AllowActive=yes doesn't work
then, from #fedora IRC I've been proposed to create rules in /etc/polkit-1/rules.d : http://paste.fedoraproject.org/36844/ [root@b06-02 rules.d]# cat 00-early-checks.rules /* Allow shutdown when others are logged in */ polkit.addRule(function(action, subject) { if (action.id == "org.freedesktop.consolekit.system.stop-multiple-users" || action.id == "org.freedesktop.consolekit.system.restart-multiple-users") { return polkit.Result.YES; } });
it still fails, when user click on their username on the top right corner of the gnome-session, schroll down to shutdown, then click restart, a window appears warning that there are other user conencted and that "authentification is required for rebooting the system while other users are logged in", and ends by asking to enter the "Administrator" password :-( Where can I remove that "feature" ?
1 - Do the students ever have to initiate a long running job and wait for results? If so, having someone else reboot the machine is not desirable.
2 - It might be better to just log out idle users.
3 - However, if it is your intention to let any user reboot at any time, use visudo to add a line: %booters ALL=(ALL) NOPASSWD: /sbin/reboot so the next student could log in and reboot from command line with sudo su /sbin/reboot Note that this requires putting all students allowed to do this (all of them?) into a secondary group allowed to reboot.
My though is that there is a reason why this isn't the default, if there is no legitimate use which justifies not rebooting, you certainly can do that. In particular, you probably don't want people logging in remotely and just rebooting the machine, students have been known to prank one another.
unfortunatly , some user never use a terminal and would'nt know how to use a command line as "sudo su /sbin/reboot" the purpose here was to enable restart from the drop down menu withing the gnome session . as ahmad samir replied earlier, I have the solution with setting this: [root@b06-01 ~]# cat /etc/polkit-1/rules.d/00-early-checks.rules /* Allow shutdown when others are logged in */ polkit.addRule(function(action, subject) { if (action.id == "org.freedesktop.login1.reboot-multiple-sessions" || action.id == "org.freedesktop.login1.power-off-multiple-sessions") { return polkit.Result.YES; } });
thanks .
Actually command lines are specified in menu items and icons...
On Wed, Sep 04, 2013 at 12:31:46PM -0400, Bill Davidsen wrote:
Jehan Procaccia wrote:
Le 04/09/2013 17:08, Bill Davidsen a écrit :
3 - However, if it is your intention to let any user reboot at any time, use visudo to add a line: %booters ALL=(ALL) NOPASSWD: /sbin/reboot so the next student could log in and reboot from command line with sudo su /sbin/reboot Note that this requires putting all students allowed to do this (all of them?) into a secondary group allowed to reboot.
unfortunatly , some user never use a terminal and would'nt know how to use a command line as "sudo su /sbin/reboot" the purpose here was to enable restart from the drop down menu withing the gnome session .
Actually command lines are specified in menu items and icons...
I don't think sudo works from a menu, you need gksudo or ksudo for that. That said, sudo is a hammer compared to polkit. For example, polkit can restrict allowed actions to a user present at the physical terminal (as the OP wanted), I don't think sudo can do that.
PS: I use sudo all the time, but then on my machines, I'm the only real user.
On 04.09.2013 17:55, Jehan Procaccia wrote: …
however, it is confusing those two "items" consolekit.system.restart-multiple-users and login1.reboot-multiple-sessions, what is the difference between them ?
$ repoquery --whatprovides */org.freedesktop.consolekit.policy $ repoquery --repoid=updates --whatprovides */org.freedesktop.login1.policy
$ FD=http://cgit.freedesktop.org $ CK=ConsoleKit/plain $ PA=data/org.freedesktop.consolekit.policy $ curl -s $FD/$CK/$PA | grep -P '(?=.*id)(?=.*multi)' $ PKA=/usr/share/polkit-1/actions $ SLD=org.freedesktop.login1.policy $ grep -P '(?=.*id)(?=.*multi)' $PKA/$SLD
$ man 1 pkaction
poma
http://www.freedesktop.org/wiki/Software/ConsoleKit/ … ConsoleKit is currently not actively maintained. The focus has shifted to the built-in seat/user/session management of Software/systemd called systemd-loginctl …
On 09/04/2013 05:44 PM, Suvayu Ali wrote:
I don't think sudo works from a menu, you need gksudo or ksudo for that. That said, sudo is a hammer compared to polkit. For example, polkit can restrict allowed actions to a user present at the physical terminal (as the OP wanted), I don't think sudo can do that.
Fedora comes with beesu and things such as yumex use it. Of course, you could always just turn on the suid bit on the executable, but I'd leave it as a last resort, especially as you'd have to do it again any time the file gets updated.
On 05.09.2013 02:52, Joe Zeff wrote:
On 09/04/2013 05:44 PM, Suvayu Ali wrote:
I don't think sudo works from a menu, you need gksudo or ksudo for that. That said, sudo is a hammer compared to polkit. For example, polkit can restrict allowed actions to a user present at the physical terminal (as the OP wanted), I don't think sudo can do that.
Fedora comes with beesu and things such as yumex use it. Of course, you could always just turn on the suid bit on the executable, but I'd leave it as a last resort, especially as you'd have to do it again any time the file gets updated.
You drive Fedora on old fashioned way. Welcome to the present.
https://lists.fedoraproject.org/pipermail/users/2013-August/440106.html … /etc/polkit-1/rules.d/50-dk.yumex.backend.pkexec.run.rules
$ rpm -ql yumex | grep policy
poma
On Wed, Sep 04, 2013 at 05:52:59PM -0700, Joe Zeff wrote:
On 09/04/2013 05:44 PM, Suvayu Ali wrote:
I don't think sudo works from a menu, you need gksudo or ksudo for that. That said, sudo is a hammer compared to polkit. For example, polkit can restrict allowed actions to a user present at the physical terminal (as the OP wanted), I don't think sudo can do that.
Fedora comes with beesu and things such as yumex use it. Of course, you could always just turn on the suid bit on the executable, but I'd leave it as a last resort, especially as you'd have to do it again any time the file gets updated.
You just mentioned things that one should not do, specially on a system where curious students are bound to fool around.
On 09/04/2013 06:47 PM, Suvayu Ali wrote:
You just mentioned things that one should not do, specially on a system where curious students are bound to fool around.
Mentioning the suid bit was just, for me, a matter of being complete. Using besu (Not beesu, as I wrote.) will work if you've set sudo up properly, such as giving everybody sudo rights for this command, and *only* this command. It's not something I'd do, at least not around students, but that's not my call to make.
-
Ahmad Samir -
Bill Davidsen -
jehan procaccia -
Joe Zeff -
poma -
Suvayu Ali