How could I give just reboot and shutdown permissions to a simple user in SLES 11 SP2?
does anybody has a answers?
Hi animati,
does anybody has a answers?
Probably, but first some questions:
What are you after? A way to permit users to shutdown/restart the system via CLI? Via login screen? Or were you looking for a different limitation, like “just reboot & shutdown, but not switching to a different run level”?
Regards,
Jens
via CLI and via login screen.
Hi animati,
via CLI: Creating the proper “sudo” permissions may help - the commands I would include are “/sbin/shutdown -h now” and “/sbin/shutdown -r now”, YMMV.
Login screen: have a look at “DISPLAYMANAGER_SHUTDOWN” in /etc/sysconfig/displaymanager, the comment section documents the options available.
With regards,
Jens
via CLI do you mean add commands in “visudo”?
Via login screen I changed to DISPLAYMANAGER_SHUTDOWN=“all” BUT when I shutdown and then shut down or restart, ask for root password yet!
Hi animati,
Yes, manual edits are best done via “visudo”, which updates the file “/etc/sudoers”. If you store sudo permissions i.e. in LDAP, you’ll have to use a different tool, though.
Have you run “SuSEconfig” before restarting, so the actual config files were updated?
Regards,
Jens
yes, I run “SuSEconfig”.
I tried also changing this in YaST->Security Center and Hardening->BootSettings-> Shuttdown Behaviour of Login Manager = All Users
BUT not work
Hi animati,
this then sounds like a bug to me, unless I have overlooked something. I’m without access to our test bed atm, so I cannot verify this myself. If you’re covered by a support contract, you might consider opening a ticket.
Regards,
Jens
I’m not covered anymore… this problem exists I think one year or more.
THE BIG problem is: when try to reboot or shutdown as not root user ask for root password.
Hi animati,
I cannot confirm the bug - my test server just rebooted when told so in the KDM menu. No logged-in user of course, and no question for a root passord. Just a plain reboot, as expected.
It seems there’s something else that is prohibiting this in your environment?
What display manager are you using at that stage - xdm or kdm or something else? Any output in any of the logs that may point to some cause?
Regards,
Jens
look these 3 images: http://imageshack.us/g/843/18940956.png/
I’m logged as single user.
First I entered YaST (ask root password) and set reboot for all users;
And than as single user ask for reboot/shutdown… ask root password AGAIN.
Hi animati,
seems my last reply got lost. If this is a duplicate, please disregard.
We’re talking about completely different things. The permission you’re setting per your first screen shot (which is the one I was referencing in my post, /etc/sysconfig/displaymanager:DISPLAYMANAGER_SHUTDOWN) is for the login manager (which is mentioned in the setting’s caption per your screen shot 
) - it permits a user to shut down the system from the login screen. “Alt-S” will take you to that shut down menu, unless you’re connecting from remote.
What you’re trying to invoke per your second screen shot is, AFAICT, controlled per policykit permissions. Have a look at org.freedesktop.consolekit.system.restart and org.freedesktop.consolekit.system.stop. There are “-multiple-users” instances of these permissions, too, but that’s not what you’d give ordinary users.
Regards,
Jens
yes, we had a disagreement.
now, we have /etc/polkit-default-privs.standard and /etc/polkit-default-privs.restrictive.
Both have:
should be consistent with hal
org.freedesktop.consolekit.system.stop auth_admin_keep_always:auth_admin_keep_always:yes
org.freedesktop.consolekit.system.stop auth_admin_keep_always:auth_admin_keep_always:yes
org.freedesktop.consolekit.system.stop-multiple-users auth_admin:auth_admin:yes
org.freedesktop.consolekit.system.restart auth_admin:auth_admin:yes
org.freedesktop.consolekit.system.restart-multiple-users auth_admin_keep_always:auth_admin_keep_always:yes
and also:
shutdown/reboot should be consistent with consolekit
org.freedesktop.hal.power-management.shutdown auth_admin_keep_always:auth_admin_keep_always:yes
org.freedesktop.hal.power-management.shutdown-multiple-sessions auth_admin:auth_admin:yes
org.freedesktop.hal.power-management.reboot auth_admin:auth_admin:yes
org.freedesktop.hal.power-management.reboot-multiple-sessions auth_admin_keep_always:auth_admin_keep_always:yes
Which line should I edit for shutdown and which line for reboot?
Each policy has “AAA:BBB:CCC” or just “AAA” (example: auth_admin_keep_always:auth_admin_keep_always:yes)
What does it means? (AAA, BBB and CCC)?
yes, we had a disagreement.
now, we have /etc/polkit-default-privs.standard and /etc/polkit-default-privs.restrictive.
Both have:
should be consistent with hal
org.freedesktop.consolekit.system.stop auth_admin_keep_always:auth_admin_keep_always:yes
org.freedesktop.consolekit.system.stop auth_admin_keep_always:auth_admin_keep_always:yes
org.freedesktop.consolekit.system.stop-multiple-users auth_admin:auth_admin:yes
org.freedesktop.consolekit.system.restart auth_admin:auth_admin:yes
org.freedesktop.consolekit.system.restart-multiple-users auth_admin_keep_always:auth_admin_keep_always:yes
and also:
shutdown/reboot should be consistent with consolekit
org.freedesktop.hal.power-management.shutdown auth_admin_keep_always:auth_admin_keep_always:yes
org.freedesktop.hal.power-management.shutdown-multiple-sessions auth_admin:auth_admin:yes
org.freedesktop.hal.power-management.reboot auth_admin:auth_admin:yes
org.freedesktop.hal.power-management.reboot-multiple-sessions auth_admin_keep_always:auth_admin_keep_always:yes
Which line should I edit for shutdown and which line for reboot?
Each policy has “AAA:BBB:CCC” or just “AAA” (example: auth_admin_keep_always:auth_admin_keep_always:yes)
What does it means? (AAA, BBB and CCC)?
Hi animati,
the triplet describes the settings for “any session”, “inactive session” and “active session”. See for example http://doc.opensuse.org/documentation/html/openSUSE_113/opensuse-security/cha.security.policykit.html#sec.security.policykit.change.modify_config.implicit , which includes a description of commands to invoke once you’ve changed your settings. Be aware that this doc is for openSUSE 11.3 - I’m not in the position for a proper web search right now, which I’m sure you’d be able to perform yourself if you find any indication that your system works differently.
While I have not found any explicit documentation on the other syntax (a single value AAA), I’m confident that it will simple configure “any session”, without any overrides for inactive or active session… a short cut for AAA:AAA:AAA.
Regards,
Jens
works!!
thanks a lot and regards…