git.ipfire.org Git - thirdparty/systemd.git/commit

author	Nick Rosbrook <enr0n@ubuntu.com>
	Fri, 21 Mar 2025 19:14:20 +0000 (15:14 -0400)
committer	Nick Rosbrook <enr0n@ubuntu.com>
	Tue, 25 Mar 2025 20:15:34 +0000 (16:15 -0400)
commit	bc3a11097f673ce3c2e8ba500014f16402839e53
tree	cfa1f4778129384d4ae614c7e89326b7702dab90	tree \| snapshot
parent	4b1e7a582240bcc93e91524fcfdb96844a8d06bc	commit \| diff

login: add polkit example rules for allowing root to ignore inhibitors

The semantics of strong inhibitors require that POLKIT_ALWAYS_QUERY
always be set when checking if we can allow blocking inhibitors to be
ignored on shutdown, reboot, etc. With the default polkit rules and
policy, users may experience a situation where users in the sudo group
are authorized to run:

systemctl reboot --check-inhibitors=no

but the root user is not authorized. Instead, the following error is
given:

Call to Reboot failed: Interactive authentication required.

While this is correct according to the semantics of strong inhibitors,
it is confusing. To help the situation, provide example polkit rules
that allow root to perform these actions.

Finally, when root receives SD_BUS_ERROR_INTERACTIVE_AUTHORIZATION_REQUIRED
when calling e.g. systemctl reboot, print a message explaining that this
is due to the current polkit policy, and point to the new example rule.

Related: https://github.com/systemd/systemd/issues/36786

meson.build		diff \| blob \| blame \| history
src/login/10-systemd-logind-root-ignore-inhibitors.rules.example	[new file with mode: 0644]	blob
src/login/meson.build		diff \| blob \| blame \| history
src/systemctl/systemctl-logind.c		diff \| blob \| blame \| history