Red Hat Bugzilla – Bug 1269726
add a new EnforceInhibitors=(unprivileged|global) option to logind.conf to extend inhibitor lock enforcement to root
Last modified: 2018-06-01 11:19:13 EDT
Inhibitor locks are awesome. While one user is in the middle of something, we can prevent some non-root user with console access from rebooting, sleeping, shutting down. Awesome.
Unfortunately, the vast majority of server installations never have physical logins; it's most common that users only login over ssh. So:
1) Users login over ssh
2) Non-root users don't get magic power to reboot over ssh; therefore, non-root users understand that they always need root access to reboot
3) So non-root users always use su/sudo to reboot the machine, making inhibitor locks useless
See where I'm going with this? What if we could also warn root users that try to, e.g., reboot when block-locks are present? Use case:
1) Multiple users have sudo access
2) One user uses sudo systemd-inhibit to start some important process that should not be interrupted ... or maybe they're simply doing package-management operations
3) Another user comes in, runs into an issue and decides to sudo reboot but instead of rebooting, thankfully, the command errors out with a warning and explanation (with hint that systemctl reboot --ignore-inhibitors could be used)
Of course you can use /run/nologin to prevent new logins, but that doesn't help if someone has already su'd over to root. It just doesn't cover enough cases. This is a valid new feature that would be welcomed by many sysadmins.
See upstream RFE, including posititve comment from LP:
See this comment from LP in a related pull request:
There, he says:
> I would prefer if this would be an option only, not a change of defaults.
> And then it should be enforced by logind, and systemctl would have to
> query the setting from logind and show the inhibitor list depending on
> what it exposes.
> Or in other words, I think the patch needs to be more complex:
> 1. logind.conf should gain a new setting EnforceInhibitors= which should
> take an enum, with currently two possible values: "unprivileged" (which
> would be the default and identical to the old behaviour), "global" (which
> would be the new added option, and extend inhibitor enforcement to root).
> 2. this setting should be taken into account for all relevant polkit
> checks by logind
> 3. logind should expose this setting as bus property on its Manager
> 4. systemctl should read the prop before showing the inhibitor list, and
> show it even for root if the setting is "global".
> 5. the man pages need to be updated to document the new setting.
This still needs to be implemented in upstream. NOthing we can make to rhel-7.5