[Bug 1969593] Re: rules to prevent non-root users from rebooting not taken into account

Frédéric Giquel 1969593 at bugs.launchpad.net
Wed Apr 27 13:44:04 UTC 2022 

Additional information.

Reboot is not authorized when the (non-root) user is connected via SSH. We got the following message:
$ reboot 
Failed to set wall message, ignoring: Interactive authentication required.
Failed to reboot system via logind: Access denied
Failed to open initctl fifo: Permission non accordée
Failed to talk to init daemon.

The problem seems to only appear in graphical or TTY session.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1969593

Title:
  rules to prevent non-root users from rebooting not taken into account

Status in policykit-1 package in Ubuntu:
  New
Status in systemd package in Ubuntu:
  New

Bug description:
  On fresh Ubuntu Jammy installation, I add a "/etc/polkit-1/localauthority/90-mandatory.d/restriction.pkla" file with the following contents :
  [Disable power-off]
  Identity=unix-user:*
  Action=org.freedesktop.login1.power-off
  ResultActive=no
  ResultInactive=no
  ResultAny=no

  [Disable power-off when others are logged in]
  Identity=unix-user:*
  Action=org.freedesktop.login1.power-off-multiple-sessions
  ResultActive=no
  ResultInactive=no
  ResultAny=no

  [Disable_reboot]
  Identity=unix-user:*
  Action=org.freedesktop.login1.reboot
  ResultActive=no
  ResultInactive=no
  ResultAny=no

  [Disable_reboot_when_others_are_logged_in]
  Identity=unix-user:*
  Action=org.freedesktop.login1.reboot-multiple-sessions
  ResultActive=no
  ResultInactive=no
  ResultAny=no


  
  It must prevent non-root users from shutdowning and rebooting the system. But it only prevent shutdowning. Rebooting is still possible for a non-root user.

  We can see it using pkcheck command (as a non-root user) :
  $ pkcheck --action-id org.freedesktop.login1.power-off --process $PPID ; echo $?
  Not authorized.
  1
  $ pkcheck --action-id org.freedesktop.login1.reboot --process $PPID ; echo $?
  0

  
  As this problem can lead to unexpected reboot on multi-users systems (a disponibilty concern), I checked the "This bug is a security vulnerability" box.

  ProblemType: Bug
  DistroRelease: Ubuntu 22.04
  Package: policykit-1 0.105-33
  ProcVersionSignature: Ubuntu 5.15.0-25.25-generic 5.15.30
  Uname: Linux 5.15.0-25-generic x86_64
  ApportVersion: 2.20.11-0ubuntu82
  Architecture: amd64
  CasperMD5CheckResult: pass
  CurrentDesktop: ubuntu:GNOME
  Date: Wed Apr 20 10:53:27 2022
  InstallationDate: Installed on 2022-04-20 (0 days ago)
  InstallationMedia: Ubuntu 22.04 LTS "Jammy Jellyfish" - Release amd64 (20220419)
  ProcEnviron:
   TERM=xterm-256color
   PATH=(custom, no username)
   XDG_RUNTIME_DIR=<set>
   LANG=fr_FR.UTF-8
   SHELL=/bin/bash
  SourcePackage: policykit-1
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1969593/+subscriptions

More information about the foundations-bugs mailing list