logind: allow any user to request lingering

We enable lingering for anyone who wants this. It is still disabled by
default to avoid keeping long-running processes accidentally.
Admins might want to customize this policy on multi-user sites.

diff --git a/NEWS b/NEWS
index 7199a672011f5d4ff1baad0bd81fecd2f156a6f0..3924264e6f9bf189e2fa69eb76a0fdb16d8219ed 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -40,8 +40,9 @@ CHANGES WITH 230 in spe:
           After the user logs out of all sessions, user@.service will be
           terminated too, by default, unless the user has "lingering" enabled.
           To effectively allow users to run long-term tasks even if they are
-          logged out, lingering must be enabled for them. See loginctl(1)
-          for details.
+          logged out, lingering must be enabled for them. See loginctl(1) for
+          details. The default polkit policy was modified to allow users to
+          set lingering for themselves without authentication.
 
           Previous defaults can be restored at compile time by the
           --without-kill-user-processes option.

diff --git a/src/login/logind-dbus.c b/src/login/logind-dbus.c
index 1d3133ee252338ca913ec711f1c04e9e87061b08..a281f99a343199c3526d945d69e79a65b5158e3a 100644 (file)
--- a/src/login/logind-dbus.c
+++ b/src/login/logind-dbus.c
@@ -1077,11 +1077,11 @@ static int method_terminate_seat(sd_bus_message *message, void *userdata, sd_bus
 static int method_set_user_linger(sd_bus_message *message, void *userdata, sd_bus_error *error) {
         _cleanup_free_ char *cc = NULL;
         Manager *m = userdata;
-        int b, r;
+        int r, b, interactive;
         struct passwd *pw;
         const char *path;
         uint32_t uid;
-        int interactive;
+        bool self = false;
 
         assert(message);
         assert(m);
@@ -1102,6 +1102,8 @@ static int method_set_user_linger(sd_bus_message *message, void *userdata, sd_bu
                 if (r < 0)
                         return r;
 
+                self = true;
+
         } else if (!uid_is_valid(uid))
                 return -EINVAL;
 
@@ -1113,7 +1115,7 @@ static int method_set_user_linger(sd_bus_message *message, void *userdata, sd_bu
         r = bus_verify_polkit_async(
                         message,
                         CAP_SYS_ADMIN,
-                        "org.freedesktop.login1.set-user-linger",
+                        self ? "org.freedesktop.login1.set-self-linger" : "org.freedesktop.login1.set-user-linger",
                         NULL,
                         interactive,
                         UID_INVALID,

diff --git a/src/login/org.freedesktop.login1.policy.in b/src/login/org.freedesktop.login1.policy.in
index 23326bb79feedf56adae5099e835c86665f92576..1fa64416294ce194331c2d46638ce028f599db5f 100644 (file)
--- a/src/login/org.freedesktop.login1.policy.in
+++ b/src/login/org.freedesktop.login1.policy.in
@@ -111,6 +111,14 @@
                 </defaults>
         </action>
 
+        <action id="org.freedesktop.login1.set-self-linger">
+                <_description>Allow non-logged-in user to run programs</_description>
+                <_message>Explicit request is required to run programs as a non-logged-in user.</_message>
+                <defaults>
+                        <allow_any>yes</allow_any>
+                </defaults>
+        </action>
+
         <action id="org.freedesktop.login1.set-user-linger">
                 <_description>Allow non-logged-in users to run programs</_description>
                 <_message>Authentication is required to run programs as a non-logged-in user.</_message>