GNOME Bugzilla – Bug 372738
Restrict shutdown privileges
Last modified: 2007-04-19 08:20:18 UTC
We've gotten requests from several of our customers for GDM to be able to prevent users from shutting down the local host easily. This does seem to make sense in some situations - e.g. in kiosks and other situations where the user doesn't have physical access to the local host, or simply as a usability anti-"whoops" feature. I've cooked up a patch against GDM 2.16.1 which introduces two configuration options (with defaults): [security] AllowShutdown=true SecureShutdown=false The former, when false, prevents the shutdown, reboot and suspend choices from being shown in gdmgreeter/gdmlogin/logout dialog. The latter, when true, will cause GDM to prompt for the root password on shutdown, reboot and suspend (and will disable those in the logout dialog).
Created attachment 76243 [details] [review] Shutdown privilege restriction.
I have some issues with this patch: 1) What is the value of AllowShutdown? If the sysadmin doesn't want the various commands to be available, he can set them to null (empty or nonvalid command values) and the choices go away. Does adding a new AllowShutdown really add any additional value. 2) Why call the new key AllowShutdown and SecureShutdown when it is supposed to work with reboot and suspend also? (and probably should work with the custom commands - see comment #4 below). 3) You say that when SecureShutdown is false that this disables the shutdown/reboot/suspend choices from the logout dialog. Do you mean to say that this patch causes QUERY_LOGOUT_ACTION to return that it does not support the action and causes SET_LOGOUT_ACTION and SET_SAFE_LOGOUT_ACTION to not allow the user to cause the logout action to be set. 4) Note in GDM there are new custom commands. This patch should also work for the custom commands, I'd think. 5) You did not update the documentation in docs/C/gdm.xml to explain these new configuration options you are adding. I will not accept a patch that modifies how GDM can be configured without doc updates. Also your patch doesn't seem to update config/gdm.conf.in with the new configuration options and comments, which it should. Note the comment in daemon/gdm.h at line 142 which explains what is expected when you add new configuration keys to GDM. It doesn't seem like you followed these steps completely since documentation requirements are mentioned here. 6) Please explain why you are removing lines from gui/gdmsetup.c in your patch. This doesn't seem related to this bug report.
I think the two options suggested in the initial post in this bug report are a good start. I would like to add some comments on this from a home user point of view. We run a family network with 5 Gentoo machines. Everyone uses Gnome. Recently I was in the process of doing updates on one machine. I was logged in using ssh and while some critical libraries were just being updated by the emerge command my son decided to reboot his machine from his Gnome desktop into Windows to play a game. The loading of these new libraries was not finished and when we tried to go back to Linux the GDM screen was broken and it was not possible for anyone to log in and use Gnome at all. (Or much of anything else.) Fortunately I was able to go to a console and start rebuilding things so eventually, after about 6 hours, the machine came back up. As a home admin I do not like that the standard Gnome System menu effectively grants access to root level commands shutdown and reboot without access to root's password. I would like to see a configuration option that would allow me to remove this from certain user's accounts, or even all user accounts. However, even if the System menu was made configurable and I have reconfigured the System menu to remove the Shutdown entry I'm still not out of trouble since GDM itself grants a normal user access to the shutdown and reboot commands without any password protection and without ensuring that no other users are logged on. To address this I can envision a number of possible improvements to GDM: 1) I think the most important issue here is helping a non-root user understand whether other users are currently logged into this machine. GDM could display a list of users currently logged in and would either not allow shutdown or reboot until they log out or would at a minumum issue a warning saying something like "Are you sure you want to shutdown? Other people are currently logged into and using this machine. By shutting down you may harm their work." This is generally what Windows XP does. It works OK but does depend on everyone wanting to get along. 2) Another possibility would be to create a special group of users that are granted the right to shutdown a machine. When someone attempts to shutdown from GDM they essentially have to log in with their account and password. This would only be safe however if they know that no one else is logged in which requires more command line knowledge than my family currently has. (They are trainable though!) 3) Completely remove reboot and shutdown from GDM and require root to log in to execute the shutdown. Good for some environments but it wouldn't work in my household. All in all we are quite happy with Gnome these days. Thanks.
I agree with you that these features would be nicer if they were more configurable. I don't understand your comment "even if the System menu was made configurable..I'm still not out of trouble since GDM itself grants a normal user access to the shutdown and reboot commands". I don't think this is true. If you set SystemMenu=false, or if you configure the RebootCommand, HaltCommand, SuspendCommand to empty, then these choices should disappear completely from GDM and also from the gnome-panel when users log in (since gnome-panel simply interfaces with GDM to make these choices available). I'm not sure why you say these choices are still present if you configure GDM to make them not present. I agree with what you say about #1. Note bug #172600 already asks for this enhancement. Regarding #2, there are a few approaches that could be taken. - Perhaps GDM could be enhanced to ask the user to enter the root password before allowing the user to select these features, much like it does for when you ask to "configure the login program". Whether GDM asks for root password could be configurable, so users who want this extra protection could turn it on, and other users could leave it working as-is. - Perhaps GDM could be configured to not display the choices on the login screen, but allow certain users to access the feature from gnome-panel. Regarding #3, I think if you set SystemMenu=false, or set RebootCommand, HaltCommand, SuspendCommand to empty that you can get GDM to work this way already. I would accept a patch that made these options work in nicer and more configurable ways.
QUOTE: I don't understand your comment "even if the System menu was made configurable..I'm still not out of trouble since GDM itself grants a normal user access to the shutdown and reboot commands". My concern here is not really that I want to stop my son from rebooting his computer. The machine is dual boot and he should be able to go to Windows to play a game once in awhile. My issue is that he is not currently warned that I am logged on and by rebooting he is hurting my work. (Either as a user when I am working remotely in my own account on his machine or as root when I am doing updates.) Reboot/shutdown certainly needs to 'exist' on the login screen. However I'm not always home when he wants to reboot and I don't want to stop him completely. I'm only suggesting that he be warned that I'm logged in remotely so that he understand he'd be causing a problem.
Note that this problem only affects the shutdown/suspend/reboot commands available on the GDM login screen. When you run these options from gnome-panel it uses the SAFE_LOGOUT_ACTION command so that the shutdown/suspend/reboot should happen only after all users logout. But when you run these options from the GDM login screen it does the action right away. It would also be good if GDM supported a configuration option to disable these features from the login screen and only make them available via the gdmflexiserver command (which gnome-panel also uses). This way users would only be able to shutdown/suspend/reboot after authentication rather than just being able to walk up to the machine and shut it down without authentication.
I fixed GDM 2.19 so that you can configure GDM not to display the system commands from the GDM login screen, but only from via the gdmflexiserver SET_LOGOUT_ACTION/SET_SAFE_LOGOUT_ACTION. Since GNOME Panel uses SET_SAFE_LOGOUT_ACTION, disabling these in the GDM GUI and only allowing users to shutdown/reboot via the GNOME appliation menu would therefore resolve your issue and never cause the system to logout if any user is logged in. I realize this doesn't fully resolve the issue, but bug #172600 already exists highlighting the need for a confirmation pop-up telling the user that other users are logged in when reboot/shutdown/suspend are selected. I updated that bug to also mention it might be good to make these options use the SET_SAFE_LOGOUT_ACTION. I'm therefore closing this bug as FIXED since bug #172600 already discusses the remaining issues.