[rhelv6-list] how to remove 'shot down' from system menu?
Alois Treindl
alois at astro.ch
Wed Oct 5 20:46:31 UTC 2011
Thanks a lot, Andrew.
Still complicated, but managable.
Why did Redhat not put in a feature to remove the shutdown?
/sbin/halt and /sbin/reboot need root permission, too. Why not the Gnome
menu command???
On 10/05/2011 04:09 PM, Feldt, Andrew N. wrote:
> Alois,
>
> I do this (in spite of the concerns given by the previous
> posters - users are far less likely to push the physical
> button, especially if it is on the other side of a panel
> and if word gets around that the system manager greatly
> frowns on this). However, my policy kit files are slightly
> different from the ones posted at the link that was given.
>
> I create a separate policy kit file for each action and
> have (all in /etc/polkit-1/localauthority/50-local.d):
>
> stop.pkla containing
>
> [Normal User Stop Permissions]
> Identity=unix-user:*
> Action=org.freedesktop.consolekit.system.stop
> ResultAny=no
> ResultInactive=no
> ResultActive=auth_admin
>
> an identical file called restart.pkla which is the
> same as the above except that [Ss]top is replaced
> with [Rr]estart everywhere.
>
> And, to be complete, I have the power related
> files hibernate.pkla and suspend.pkla with:
>
> [Normal User Suspend Permissions]
> Identity=unix-user:*
> Action=org.freedesktop.devicekit.power.suspend
> ResultAny=no
> ResultInactive=no
> ResultActive=auth_admin
>
> with [Ss]uspend replace by [Hh]ibernate in its
> file.
>
> The 'ResultActive=auth_admin' means that any attempt
> to use buttons to power off or restart the system
> result in a prompt requiring authentication. This
> also helps to reinforce the idea that normal users
> are not supposed to shutdown or restart systems.
>
> This has been very successful in a lab full of machines
> which are also used in a Condor pool and for remote
> login access. (Remote users get quite grumpy if someone
> suddenly shuts down the system they have been editing a
> file on for several hours ;-)
>
> The 'pkaction' command is quite useful in finding out
> what policies exist and how they are set so that you
> can change them in this fashion.
>
> Andy
>
More information about the rhelv6-list
mailing list