Systemd
-
So all arguments about systemd vs init aside, I have found one issue I don't really like with systemd. Apparently, as an unprivileged user you can reboot, suspend, and poweroff a system with
systemctl reboot
,systemctl suspend
, andsystemctl poweroff
-
What platforms have you tested this on? That's surprising. I'm going to go look now. How could that have been missed?
-
@scottalanmiller said:
What platforms have you tested this on? That's surprising. I'm going to go look now. How could that have been missed?
Tested Fedora 23, CentOS 7, and Ubuntu 15.10
-
Wow, that's crazy.
-
Apparently it won't let you if more than one person is in a shell session, but still.
-
Something is still seriously wrong. Have you found any documentation talking about it?
-
@johnhooks said:
Apparently it won't let you if more than one person is in a shell session, but still.
And what happens when you run "systemctl reboot -i"?
In Debian both cases, give me "Failed to start reboot.target: Access denied"
-
I did it as one unprivileged user on CentOS 7 and it asked me for the password of a different users, very odd.
-
@scottalanmiller said:
Something is still seriously wrong. Have you found any documentation talking about it?
The only thing I saw was a post of someone defending systemd. She just added it at the bottom of the list of things like it was a feature.
https://www.linux.com/learn/tutorials/794615-systemd-runlevels-and-service-management
-
@scottalanmiller said:
I did it as one unprivileged user on CentOS 7 and it asked me for the password of a different users, very odd.
ya I just tried one that I created. I guess I did try it from my account, which is in the wheel group. Still, why is it asking for a privileged user account password instead of just denying? Now all I have to do is correctly guess the users password, vs just being flat out denied and not able to elevate to root.
I think this is handled with polkit, but I haven't figured out how to change it yet.
-
Here's what you get when you reboot that way. In /var/log/secure
Jan 23 08:30:57 ZeroTier polkitd[800]: Operator of unix-process:26388:3662705 successfully authenticated as unix-user:jhooks to gain TEMPORARY authorization for action org.freedesktop.login1.reboot for system-bus-name::1.41 [systemctl reboot] (owned by unix-user:test)
-
@johnhooks said:
@scottalanmiller said:
I did it as one unprivileged user on CentOS 7 and it asked me for the password of a different users, very odd.
ya I just tried one that I created. I guess I did try it from my account, which is in the wheel group. Still, why is it asking for a privileged user account password instead of just denying? Now all I have to do is correctly guess the users password, vs just being flat out denied and not able to elevate to root.
I think this is handled with polkit, but I haven't figured out how to change it yet.
Asking for a password is normal, every used has the right to run su, it's just asking if your su is verified.
-
@scottalanmiller said:
@johnhooks said:
@scottalanmiller said:
I did it as one unprivileged user on CentOS 7 and it asked me for the password of a different users, very odd.
ya I just tried one that I created. I guess I did try it from my account, which is in the wheel group. Still, why is it asking for a privileged user account password instead of just denying? Now all I have to do is correctly guess the users password, vs just being flat out denied and not able to elevate to root.
I think this is handled with polkit, but I haven't figured out how to change it yet.
Asking for a password is normal, every used has the right to run su, it's just asking if your su is verified.
Ah good point, I guess that's no different than
su jhooks
and thensudo reboot
-
Seems to be that way.