1

Does anyone have a good way to restrict access to systemctl and some of it's commands?

systemctl reboot or systemctl poweroff seem to take effect immediately, with no request for root permissions.

Charles Green
  • 21,339
  • I believe they use a policykit system to determine whether or not a user can reboot or shut down the computer, hence why it doesn't prompt for credentials... don't quote me on this though. – Thomas Ward Mar 15 '16 at 16:25
  • @ThomasW. Being the crude and straight-forward person I am, I created a standard user named 'Bob'. Bob was able to do an immediate, unwarned system shutdown using systemctl poweroff – Charles Green Mar 16 '16 at 00:09
  • Is Bob the only person logged onto the computer, and is this directly on the system itself logged into the system itself (and not over SSH, etc.)? If so, then it should operate like the GUI "Shutdown" button - if there's more than one user logged on, it shouldn't permit the shutdown without verification, I believe. (it's still a policykit policy) – Thomas Ward Mar 16 '16 at 01:27
  • @ThomasW.I'll get two logged on and check - I should have assumed that it was more like the "shutdown" command, which requires credentials – Charles Green Mar 16 '16 at 03:22
  • @ThomasW. You were 1/2 right. Sort of. When two users were logged in, Bob was prevented from systemctl reboot. The system suggested ignoring other users with the -i option, and systemctl reboot -i caused immediate reboot without notice to the other users. I will start a session in a virtual machine and see if 'Bob' ssh'ing in can accomplish the same. – Charles Green Mar 16 '16 at 03:28
  • @ThomasW. In a test over ssh, my standard user was unable to execute the commands while a second user was logged in, so yes, if the user is directly logged on the system, then they are able to execute a shutdown, reboot (or possibly a halt, I did not test that). – Charles Green Mar 16 '16 at 03:48

0 Answers0