Who has rights to override/ignore systemd inhibitors?
Hello. I have realized, that my user (groups:
tty,disk,mail,news,dialout,voice,sudo,audio,www-data,video,plugdev,users,mlocate,kvm,vboxusers,libvirt)
can ignore inhibitors (such as root being logged in) using "systemctl
suspend/poweroff/etc -i" without password prompt (with standard polkit
configuration and without NOPASSWD in sudoers). I have asked in
systemd-devel, why does it happen, and Lennart has answered, that
authentication is handled by Polkit policy in file
/usr/share/polkit-1/actions/org.freedesktop.login1.policy
That's what I have in this file:
<action id="org.freedesktop.login1.power-off-ignore-inhibit">
<description>Power off the system while an application
asked to inhibit it</description>
<message>Authentication is required for powering off
the system while an application asked to inhibit it.</message>
<defaults>
<allow_any>auth_admin_keep</allow_any>
<allow_inactive>auth_admin_keep</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
<annotate
key="org.freedesktop.policykit.imply">org.freedesktop.login1.power-off</annotate>
</action>
It seems like authentication IS required to poweroff/suspend/etc system,
disregarding inhibitors. However, on my system, without any special
polkit configuration standard user (which is in the groups mentioned
above) can ignore inhibitors by running systemctl poweroff -i without
being asked for authentication.
Could you please help me to understand, why doest it happen and how can
I change this behaviour? Thank you.
Reply to: