Home | News | Download | Packages | Forum | Wiki | Github

[SOLVED] Normal user cannot shutdown


(Paul B.) #21

Well, good news - lightdm works fine. I can login, log out, lock the screen with slock. All is well. But…same situation with the wife’s account (only logout) but it’s fine.


#22

So there is no difference between lxdm and lightdm, for a user who is not in the wheel group?


(Paul B.) #23

Apparently not, which is rather ironic given that’s the reason I switched :rofl: No worries, both work fine.


#24

I think this issue is of relevance:


(Masato the Empty) #25

Quite a strange issue you’ve got going.

If you care for further troubleshooting, try running some of these commands (Arch wiki) from a terminal window when logged in on your wife’s account. Just try shutdown or restart, since XFCE doesn’t use the listed suspend action (xfce uses different actions, requested through upowerd, not consolekit).

It would be interesting to see if that works, or if you get an error (and what the nature of said error is).


(Paul B.) #26

Will experiment further tonight, thanks.


(Paul B.) #27

Sorry for the delay, finally found some time to do this. Results below.

dbus-send --system --print-reply --dest=“org.freedesktop.ConsoleKit” /org/freedesktop/ConsoleKit/Manager org.freedesktop.ConsoleKit.Manager.Stop
Error org.freedesktop.ConsoleKit.Manager.Error.InsufficientPermission: Not Authorized

dbus-send --system --print-reply --dest=“org.freedesktop.ConsoleKit” /org/freedesktop/ConsoleKit/Manager org.freedesktop.ConsoleKit.Manager.Restart
Error org.freedesktop.ConsoleKit.Manager.Error.InsufficientPermission: Not Authorized

Makes sense based on the information I have been given.


(Masato the Empty) #28

So I’ve done further testing to see if I can get your error, and it looks like ConsoleKit and dbus interactions are more complicated than I thought.

But here are some bits of info. Note I use lightdm and XFCE. Ignoring xfce buttons for now, and only concentrating on the ability to send these commands through dbus

  • No user is allowed to perform these actions when multiple users are logged in. This is actually default policy per /usr/share/polkit-1/actions/org.freedesktop.consolekit.policy
    • When no user is logged into X, lightdm has a CK session. Thus, no other user logged into a console may issue those commands from the console.
    • If that user logs into X, then the lightdm CK session is replaced by that user, and that user may issue those commands from X terminal, or from VT.
      • BUT ONLY IF no other users are also logged into X

With lightdm service disabled, ANYBODY can issue those commands and have them accepted, as long as he is the only user with CK sessions.

Note also that wheel membership doesn’t help here, except in that it allows you to use sudo to override multiuser settings (only wheel can gain root access via sudo by default)

Could the DM be causing the problem? If so, I don’t yet have a solid lead on what that might be. I’ll keep messing with it and see if there’s any way I can duplicate your problem.

However you may also be able to confirm whether or not I’m barking up the right tree by disabling your DM (stopping the service should be sufficient), and seeing if your wife’s login is allowed to perform those commands from a VT, as the sole logged-in user. (use ck-list-sessions to confirm that you have no other users with active sessions).


#29

I agree! :neutral_face: my understanding of this is very limited.

thanks @masato for the in-depth view into these :cactus: complicated things :scorpion:


(Paul B.) #30

Yes, thanks - i had no idea this thread would take on a life of its own :smile:


(Joseph George) #31

i’m a bit late to the party. but you can add this line to sudoers (preferably to sudoers.d/yourconf:
%users ALL=(ALL) NOPASSWD: /usr/sbin/shutdown, /usr/sbin/reboot, /usr/sbin/poweroff, /usr/sbin/halt

i don’t ever use *kit dbus etc


(Paul B.) #32

No worries, thanks for the tips.