View previous topic :: View next topic |
Author |
Message |
Tony0945 Watchman
Joined: 25 Jul 2006 Posts: 5127 Location: Illinois, USA
|
Posted: Sat Nov 11, 2017 12:59 am Post subject: xdm restarts instead of shutting down [SOLVED] |
|
|
When my ordinary user shuts down from the XDM menu, it says it's shutting down but instead it just restarts XDM. When root does it, it actually shuts off.
The user belongs to wheel, /sbin/shutdown's mode is 755 and I have implemented Neddyseagoon's fix of adding Code: | %wheel ALL=(ALL) NOPASSWD: /sbin/halt, /sbin/reboot | to /etc/sudoers.
I hate to tell my user to use the power switch to shut down a running computer. Or to give her the root password in order to shutdown.
DE is Mate 1.12 without policy kit. I have two other computers like that and ordinary users can shut them down and reboot them.
I see nothing in any log.
EDIT:
The restart button does work.
Last edited by Tony0945 on Sat Nov 11, 2017 9:34 pm; edited 1 time in total |
|
Back to top |
|
|
miket Guru
Joined: 28 Apr 2007 Posts: 488 Location: Gainesville, FL, USA
|
Posted: Sat Nov 11, 2017 3:37 am Post subject: |
|
|
It looks like you're not worshiping at the altar of Pol(icy)?Kit and ConsoleKit. It's a nice attempt to get away from them but DE's nowadays are leaving you high and dry.
Shutdowns or reboots in most DE's (I'm not sure about Mate, but I've seen this to be the case in the likes of LXQT, Lumina, and KDE) happen only through the Pol(icy)?Kit gatekeeper. I really wish that weren't the case, but it is. Setting up the wheel group in the sudoers file won't do the trick: the PolicyKit path does not go through sudo.
There are two ways around this short of installing Polkit and its evil friends: patch the DE not to use Polkit but to run the shutdown command with sudo or set up your own command or button or whatever to call sudo without hooking into the Mate code. I don't know that there is a nice GUI tool for this, but with your current sudoers file you could have your user type Code: | sudo shutdown -h now |
The first path is very painful, the second not as much.
Most of the DE's I've tried without Polkit either suppress the selections for Shutdown, Reboot, Suspend, and Hibernate or show these options but do nothing if you select one of them. Only the logout function works in these cases. The effect of the logout is to take you back to XDM. It looks like Mate combines the two things for some reason: it makes the Shutdown selection available but in the absence of Polkit it just does a logout.
To get the real shutdown to happen, you have to use a non-Polkit method. |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21633
|
Posted: Sat Nov 11, 2017 5:30 pm Post subject: Re: xdm restarts instead of shutting down |
|
|
Tony0945 wrote: | I hate to tell my user to use the power switch to shut down a running computer. | Could you elaborate on this concern? I agree that teaching users to use the press-and-hold that hard stops a computer is a very bad idea. However, modern systems generate an ACPI event for a press-and-quick-release of the power button. With the right acpid configuration, that ACPI event can trigger any program (including shutdown) as root. This can allow physically present users to initiate a graceful system shutdown without logging in. This is often useful to have even if you don't use it as a primary method, if for no other reason than because it can be tried before resorting to a hard-off. |
|
Back to top |
|
|
Tony0945 Watchman
Joined: 25 Jul 2006 Posts: 5127 Location: Illinois, USA
|
Posted: Sat Nov 11, 2017 9:28 pm Post subject: Re: xdm restarts instead of shutting down |
|
|
Hu wrote: | Could you elaborate on this concern? I agree that teaching users to use the press-and-hold that hard stops a computer is a very bad idea. However, modern systems generate an ACPI event for a press-and-quick-release of the power button. With the right acpid configuration, that ACPI event can trigger any program (including shutdown) as root. This can allow physically present users to initiate a graceful system shutdown without logging in. This is often useful to have even if you don't use it as a primary method, if for no other reason than because it can be tried before resorting to a hard-off. |
This system is five years old so I don't know if it has that feature. It looks like ACPI is something I should learn about. |
|
Back to top |
|
|
Tony0945 Watchman
Joined: 25 Jul 2006 Posts: 5127 Location: Illinois, USA
|
Posted: Sat Nov 11, 2017 9:34 pm Post subject: |
|
|
%wheel ALL=(ALL) NOPASSWD: /sbin/halt, /sbin/reboot didn't work for shutdown but reboot did work.
%wheel ALL=(ALL) NOPASSWD: /sbin/halt, /sbin/reboot, /sbin/shutdown didn't work
%wheel ALL=(ALL) NOPASSWD didn't work
username ALL=(ALL) NOPASSWD works if you add a line for each username. I can shut down on the other boxes as a user because I have the line
tony ALL=(ALL) NOPASSWD because I got tired of always adding the root password on my own machines.
Yes, all users are in wheel. If I change the tony= ... line on the other boxes to %wheel =, shutdown stops working
So solved, sort of, but with an unsatisfactory broadening of power. |
|
Back to top |
|
|
Tony0945 Watchman
Joined: 25 Jul 2006 Posts: 5127 Location: Illinois, USA
|
Posted: Sat Nov 11, 2017 9:40 pm Post subject: |
|
|
miket,
Thanks for the comments. I fear Linux is being dragged down into the RedHat/Windows clone black hole. |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21633
|
Posted: Sun Nov 12, 2017 12:45 am Post subject: |
|
|
I had working ACPI soft-off in a desktop system back in 2009, and the idea of ACPI soft-off wasn't new even then.
Since you got it working by broadening permissions, that suggests you haven't found the right command(s) to whitelist yet, so you had to allow everything in order to make it work. You should get a log message for both successful and failed sudo calls. That should tell you what command(s) are required to make this work with a minimum of extra permission.
Considering the use case, you could substantially restrict the effect of the sudo ability by arranging that all processes other than the ancestors of sudo are run with setpriv --no-new-privs. This is effectively a per-process inheritable irrevocable nosuid flag. Processes with that flag can never setuid up, no matter what they try to run. Ensure that the user's browser/mail client/etc. run with that, and even a very broad sudo grant will be safe (relative to those processes directly executing sudo, but not relative to those processes maliciously modifying user startup files). |
|
Back to top |
|
|
Tony0945 Watchman
Joined: 25 Jul 2006 Posts: 5127 Location: Illinois, USA
|
Posted: Mon Nov 27, 2017 11:31 pm Post subject: |
|
|
Well, the commands stopped working. I was able to determine that the commands come through mate-control-center rather than xdm.
However, I checked per Hu's suggestion and acpid is running and after actually reading "man acpi" and viewing the shell scripts referenced there, it appears that after holding the power button down for four seconds, acpid notifys the kernel which starts orderly shutdown. So, that's the way for the user to do it. Typing "halt" or 'reboot" when logged as root in a VT or terminal also works.
Sorry for the late reply, I just got back from Alabama. After AT&T installed the modem, net.eth0 wouldn't connect. I forget the error. "no response" maybe? however, net.wlan0 connected right away wirelessly after I fixed the passphrase and SSID to what was on the modem sticker. So I did "rc-update del net.eth0 boot". No sense in a high speed connection to a modem running 3.0 Mbps (yes, that's not a misprint!) Even more surprising, youtube works fine.
I get "alsactl missing" errors but redirecting youtube to the 24" TV via HDMI, the TV gives sound. (???) Good enough. |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21633
|
Posted: Tue Nov 28, 2017 3:26 am Post subject: |
|
|
Four seconds might be necessary on some systems, but on every system where I have done this, it is sufficient to fully depress the button, then immediately release it. I don't like holding the button for a long time because if you hold it for too long (typically 8 seconds, although some quick Google searches suggest 10 seconds), that asks the firmware to drop power without alerting the OS. That triggers an unclean halt, so filesystems are not synced, the journal must be replayed, data may be lost, etc. I prefer the quick tap-and-release because it does not require counting time. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|