On Wed, Oct 28, 2020, 13:40 An Liu <sourceonly@xxxxxxxxx> wrote:
Hi, folks,I used to type systemctl reboot with non-privileged users, and to my surprise, the system goes down for the reboot.I've tested in both debian and centos 7, they act the same, however, systemctl halt will prompt you to enter administrator password to continue.Is it default behavior by design?
Yes, but... Depends on whether the user is doing it locally or remotely, and whether they're the only person who's logged in or whether there are other users as well. There are different rules in systemd for these cases.
I'm not entirely sure why reboot is treated differently from halt, though. From my experience, *neither* is allowed over remote (SSH) sessions by default.
I dont think a non-privileged user could reboot the system as he/she wishes.
It hasn't been true for a long time that a user is either fully privileged or not privileged at all, and nothing in between.
For example, in the case of systemctl, locally logged in users are allowed to call `systemctl poweroff` because they could just as well pull the plug. But the exact same user, logged in via SSH, will not be allowed it.
In most everyday installations (talking about other operating systems), rebooting the local system is a default privilege that even "unprivileged" users have...
And I do think that defaults should be suitable for the majority, leaving the burden of customization to unusual sites (kiosks, clusters) – not the other way around.
btw, I'm in an HPC related domain, if this behavior of systemctl is allowed, every single user could reboot the whole cluster as they wish, it's a disaster.
Then don't allow it. Change your polkit (PolicyKit) rules to block all reboot-related actions.
(Check the journal to see which specific action was authorized, though – the same reboot command can use a few different action IDs to apply different rules.)
If CentOS uses JS-based rules, here are some examples: https://gist.github.com/grawity/3886114
Debian's polkit uses the older .pkla format, which is simpler but I don't have a good example on hand.
_______________________________________________ systemd-devel mailing list systemd-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/systemd-devel
