Debian – How to Block Shutdown or Reboot in Xfce When Other Users Logged In

linuxpampolkitsystemdxfce

I want to prevent users to start shutdown or reboot when another user is logged in. Users can be a TTY user (Ctrl+Alt+F3) or a ssh user from a client host.

In OpenBSD, I use polkit org.xfce.session.policy with a rule file to prevent such actions.

I need to find how to do this in Debian Testing (aka Buster).
I found org.freedesktop.login1.policy with actions

org.freedesktop.login1.power-off
org.freedesktop.login1.power-off-multiple-sessions.

and made rule files for these actions but it does not block shutdown or restart.
It seems to me that polkit is not responsible alone for these actions.

I don't know where to look for this; perhaps systemd or PAM ?

EDIT

On OpenBSD and NetBSD, by default, nobody is allowed to shutdown or reboot from GUI.
You must create a rule file in /usr/local/share/polkit-1/rules.d/ like this one :

polkit.addRule (function (action, subject) {
    if (action.id == "org.xfce.session.xfsm-shutdown-helper")
    {
        return polkit.Result.YES;
    }
});

On Debian, by default, all users can shutdown or reboot from GUI.
There is no rule file for org.xfce.session.xfsm-shutdown-helper or org.freedesktop.login1.power-off.

I try to add my rule file with return polkit.Result.NO; with no avail
On debian, i use lightdm and on BSD, i use xdm.

Best Answer

Debian Testing Buster use polkit 1.05, so there is no rule files and no js syntax.
You must use the old policykit ini-style.
To prevent users to start shutdown or reboot when another user is logged in,
you must create two pkla files in /etc/polkit-1/localauthority/50-local.d/

cat /etc/polkit-1/localauthority/50-local.d/Reject_All_Users_To_login1_power-off-multiple-sessions.pkla 
[Reject all users to use login1_power-off-multiple-sessions]
Identity=unix-user:*
Action=org.freedesktop.login1.power-off-multiple-sessions
ResultAny=no
ResultInactive=no
ResultActive=no

cat /etc/polkit-1/localauthority/50-local.d/Reject_All_Users_To_login1_reboot-multiple-sessions.pkla
[Reject all users to use login1_reboot-multiple-sessions]
Identity=unix-user:*
Action=org.freedesktop.login1.reboot-multiple-sessions
ResultAny=no
ResultInactive=no
ResultActive=no

But, it is not enough, because xfce too install a action to shutdown or reboot in /usr/share/polkit-1/actions/org.xfce.session.policy.
You must also create a pkla file for this action in /etc/polkit-1/localauthority/50-local.d/

cat /etc/polkit-1/localauthority/50-local.d/Reject_All_Users_To_Use_Xfce_Session_Policy.pkla 
[Reject all users to use xfce_session_policy]
Identity=unix-user:*
Action=org.xfce.session.xfsm-shutdown-helper
ResultAny=no
ResultInactive=no
ResultActive=no

Related Solutions

Xfce: Allow shutdown for non-root users

The xfce wiki offers a number of different solutions. The one I prefer uses hal and dbus.

Step 1: Find out how the user group for all things power is called in your distribution. Quoting the wiki:

Your /etc/dbus-1/system.d/hal.conf should contain a section similar to this:

<policy group="power">
  <allow send_interface="org.freedesktop.Hal.Device.SystemPowerManagement"/>
  ...
</policy>

Here, the user group is called power. On my debian installation, I found it is called powerdev.

Step 2: Again, from the wiki:

Add the user to the power group (root):

gpasswd -a <username> power

When you logout and login again, the shutdown and restart buttons should be sensitive. Note: Reboot or restart of the deamons required; just logging out to the xdm login screen is not sufficient.

Edit: The solution above didn't work on a fresh install. The following trick worked (Source):

Create /etc/polkit-1/localauthority/50-local.d/shutdownreboot.pkla and add the following:

[restart]
Identity=unix-user:*
Action=org.freedesktop.consolekit.system.restart
ResultAny=yes

[stop]
Identity=unix-user:*
Action=org.freedesktop.consolekit.system.stop
ResultAny=yes

Ssh – How to prevent shutdown when an SSH user is logged in

I would write a small program that checked for any active SSH connections via netstat and/or ps. Drop it in place of the shutdown command.

If no one else is using the machine, call shutdown when the user tries to. If someone is using the machine, simply warn the user who issued the shutdown command.

Netstat will give you output like this, and it's pretty easy to look for .ssh in the output.

netstat -a
Active Internet connections (including servers)
Proto Recv-Q Send-Q  Local Address          Foreign Address        State
tcp        0     52  10.5.6.xx.ssh          10.6.6.yy.51400        ESTABLISHED
tcp        0      0  *.ssh                  *.*                    LISTEN
udp        0      0  *.syslog               *.*

ps will give you output like this, but it's a bit harder because you have to make sure not to worry about outbound connections. Netstat is probably the right way to go.

  ps -e | grep ssh
      10084366 ?        00:00:07 /opt/sbin/sshd
        282647 ?        00:00:00 /opt/sbin/sshd

EDIT

Best Answer

Related Solutions

Xfce: Allow shutdown for non-root users

Ssh – How to prevent shutdown when an SSH user is logged in

Related Question