Bug 1269726
Summary: | extend inhibitor lock enforcement to root | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Ryan Sawhill <rsawhill> | |
Component: | systemd | Assignee: | Jacek Migacz <jmigacz> | |
Status: | CLOSED ERRATA | QA Contact: | Frantisek Sumsal <fsumsal> | |
Severity: | medium | Docs Contact: | Prerana Sharma <presharm> | |
Priority: | medium | |||
Version: | 8.0 | CC: | apmukher, bugzilla, dchong, dshaw, dtardon, fhirtz, fsumsal, jbreitwe, jmigacz, joedward, ktordeur, kwalker, lnykryn, mark, mschorm, mschorm, msekleta, pdwyer, rsawhill, systemd-maint-list, todoleza | |
Target Milestone: | rc | Keywords: | FutureFeature, Triaged | |
Target Release: | --- | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | systemd-239-50.el8 | Doc Type: | Enhancement | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 2021309 (view as bug list) | Environment: | ||
Last Closed: | 2021-11-09 19:54:49 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1203710, 1297395, 1298243, 1420851, 1466365, 1549617, 1551061, 1643104, 2021309 |
Description
Ryan Sawhill
2015-10-08 05:22:45 UTC
This still needs to be implemented in upstream. NOthing we can make to rhel-7.5 for the record: a patch is on review upstream: https://github.com/systemd/systemd/pull/9356 (In reply to David Tardon from comment #7) > for the record: a patch is on review upstream: > https://github.com/systemd/systemd/pull/9356 Seems like this is stalled upstream. Moving to rhel-7.7. (In reply to Ryan Sawhill from comment #0) Hello Ryan, I stumbled upon the same problem on my Fedora 29 server. Would you be willing to share your current workaround for this issue, so I woldn't re-invent the wheel? -- Currently: * The root will ignore the inhibitor locks. * Regular user can't use `wall`: [regular-user@SERVER ~]$ systemctl suspend -i ==== AUTHENTICATING FOR org.freedesktop.login1.set-wall-message ==== Authentication is required to set a wall message Authenticating as: root Password: * While the Debian / Ubuntu has "/usr/bin/wall" set with gid bit for group "tty", so you can just add the user there, on Fedora it is "-rwxr-xr-x. root root", so you can't do that. * And even it the previous point was changed manually and it wouldn't break anything else, I heard somewhere, that systemd has its own implementation of `wall`, so it won't help anyway. * One can update sudoers (as suggested on ArchLinux wiki), allowing regular user to use "/usr/bin/systemctl suspend". However the command will be ran under root anyway, ignoring inhibitor locks again. * Polkit can't be used on headless server which does not have it at all. (As suggested on some Ubuntu forum) I also probabbly didn't understood what are inhibitors locks good for in the current implementation, beacuse regular users can't invoke commands which works with them (shutdown, reboot, suspend, ...) and root user ignores them. (In reply to Michal Schorm from comment #11) > Hello Ryan, I stumbled upon the same problem on my Fedora 29 server. > > Would you be willing to share your current workaround for this issue, so I > woldn't re-invent the wheel? Many moons ago, I wrote reboot-guard (https://github.com/ryran/reboot-guard) for a customer (and myself), in lieu of this fix. Warning: while I'm a redhatter, reboot-guard is not a Red Hat product and should of course be considered as 3rd-party unsupported software. Any questions/feedback should go to the issue-tracker on github. Is there any upstream (Fedora? or Systemd?) tracker for this issue / feature request? If it doesn't exist, can you create it? Can you link it to this BZ? What's the overall status on the upstream side? (In reply to Michal Schorm from comment #13) > Is there any upstream (Fedora? or Systemd?) tracker for this issue / feature > request? Yes, there is. > What's the overall status on the upstream side? I implemented the config. option proposed here, but the patch was rejected. Nothing has changed since then. Also, moving this to RHEL-8 as there won't be any further feature backports for RHEL-7. fix merged to github master branch -> https://github.com/redhat-plumbers/systemd-rhel8/pull/194 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (systemd bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:4469 |