polkit: allow non-local users to block sleep and shutdown

We already had 'auth_admin_keep' for org.freedesktop.login1.reboot and similar
actions. If a user is allowed to perform an action, I think they should be
allowed to _block_ the same action. Guarding this by auth_admin follows the
general principle of not allowing fully unprivileged users to have too much say
over the machine.

diff --git a/src/login/org.freedesktop.login1.policy b/src/login/org.freedesktop.login1.policy
index 012ee1448325c86bf8672919cd49444d9c80966a..226bb4cda436365e23f88af89ecb6dbe570e6ac2 100644 (file)
--- a/src/login/org.freedesktop.login1.policy
+++ b/src/login/org.freedesktop.login1.policy
@@ -22,7 +22,7 @@
                 <description gettext-domain="systemd">Allow applications to inhibit system shutdown</description>
                 <message gettext-domain="systemd">Authentication is required for an application to inhibit system shutdown.</message>
                 <defaults>
-                        <allow_any>no</allow_any>
+                        <allow_any>auth_admin_keep</allow_any>
                         <allow_inactive>yes</allow_inactive>
                         <allow_active>yes</allow_active>
                 </defaults>
@@ -44,7 +44,7 @@
                 <description gettext-domain="systemd">Allow applications to inhibit system sleep</description>
                 <message gettext-domain="systemd">Authentication is required for an application to inhibit system sleep.</message>
                 <defaults>
-                        <allow_any>no</allow_any>
+                        <allow_any>auth_admin_keep</allow_any>
                         <allow_inactive>yes</allow_inactive>
                         <allow_active>yes</allow_active>
                 </defaults>