Red Hat Bugzilla – Bug 529644
shutdown/reboot offered even when not allowed by ConsoleKit (e.g. via vnc session)
Last modified: 2010-03-05 08:38:41 EST
Description of problem:
If I start vncserver on my computer, and run the default session, which is KDE for me, the K menu has options to Shutdown and Reboot the computer. But I cannot restart or shutdown the computer this way, it only logs out the session.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. install a KDE-only (ahem) system
2. install tigervnc-server
3. run vncserver for the first time to generate the configfile
4. kill vncserver
5. edit ~/.vnc/xstartup so that startkde gets run
6. run vncserver
7. connect to the vnc server
8. within the vnc session, try to shutdown the computer via the menu
the KDE session is logged out, but the computer is not shut down
the session is logged out and the computer is shut down
I report this here and not upstream because I'm not sure if some Fedora-specific configuration is not at fault here. What I recall from KDE3, I think the options to shutdown and reboot weren't displayed at all when the session was run under vnc server (?)
By default, only local (ie non-remote) sessions are allowed to do restart/shutdown. Not sure if it's kdm's config or ConsoleKit getting you here.
I think it's the latter, but... I'm not sure how to configure that off the top of my head.
KDE uses KDM to shut down if it's present, ConsoleKit otherwise. So if you're running KDM, the relevant setting is KDM's, but if you're running either GDM or no display manager at all, ConsoleKit and its PolicyKit settings are relevant.
(In reply to comment #1)
> By default, only local (ie non-remote) sessions are allowed to do
ok, so this would explain what I remember about KDE3 - now the question is, why KDE4 is not aware of this and still it displays those menu entries that should be disabled
(In reply to comment #2)
> KDE uses KDM to shut down if it's present, ConsoleKit otherwise. So if you're
> running KDM, the relevant setting is KDM's, but if you're running either GDM or
> no display manager at all, ConsoleKit and its PolicyKit settings are relevant.
just to clarify - do you mean *any* KDM running?
- like when the system is started, I get to the login screen provided by KDM; I do not log in via this, but ssh from another machine as an ordinary user and start the vncserver ... then the KDM is running on the machine, but shouldn't have any influence on what runs under vncserver, or not?
SSH logins are not using any display manager, so you'll need ConsoleKit shutdown privileges.
Why it still displays the shutdown option is that when I wrote the patch for ConsoleKit shutdown, there was no way to query it if shutdown is possible. Current versions now support such an API, so I should update my patch.
As I understand this, the behavior here is by design (both kdm's and ConsoleKit). (NOTABUG)
I suppose the feature to not show Shutdown if permissions deny it can be considered an upstream feature request.
Uh, no, it's just a missing check in my ck-shutdown patch. As I said, at the time I wrote it, the necessary API was missing in ConsoleKit. I need to add this.
To be clear, the bug there is that the options are shown when they should not be.
If you want to allow shutting down over VNC, you'll need to modify the security policies, this is not allowed by default by design.
I fixed this for Rawhide in 4.2.95-2.fc13. Releases will get the fix with 4.4 at the latest, we may be pulling this into the 4.3.5 update set or push it as a separate update though.
Oops, I mean 4.3.95-2.fc13.
(In reply to comment #6)
> Uh, no, it's just a missing check in my ck-shutdown patch. As I said, at the
> time I wrote it, the necessary API was missing in ConsoleKit. I need to add
pardon my ignorance, but what is the purpose of the patch, shouldn't go these changes upstream anyways?
(In reply to comment #8)
> Releases will get the fix with 4.4 at the latest, ...
does that mean that we'll get 4.4 (with the fix) in F12?
(hm, I really should pay more attention to news - what's cooking, or maybe start eating some pills for memory ...)
> pardon my ignorance, but what is the purpose of the patch
Without that patch, you can't shutdown/restart at all if you use the latest GDM or some DM-less solution (e.g. startx), even if the PolicyKit policies for ConsoleKit allow it (by default, this is the case for locally logged-in users when no other user is logged in, but not for remote logins like VNC).
> shouldn't go these changes upstream anyways?
Uh, yes… ;-)
> does that mean that we'll get 4.4 (with the fix) in F12?
The plan is to push 4.4 as an update to F12 and F11.
But you won't have to wait that long for this fix, I applied it to 4.3.5-2.fc12 and 4.3.5-2.fc11 now, so it will be fixed with the 4.3.5 update set.
kde-settings-4.3-16.1, kdebase-workspace-4.3.5-2.fc12, kdelibs-4.3.5-2.fc12, kdebase-4.3.5-3.fc12, kdeaccessibility-4.3.5-1.fc12, kdeadmin-4.3.5-1.fc12, kdeartwork-4.3.5-1.fc12, kdebase-runtime-4.3.5-2.fc12, kdebindings-4.3.5-1.fc12, kdeedu-4.3.5-1.fc12, kdegames-4.3.5-1.fc12, kdegraphics-4.3.5-1.fc12, kdemultimedia-4.3.5-1.fc12, kdenetwork-4.3.5-1.fc12, kdepim-4.3.5-1.fc12, kdepim-runtime-4.3.5-1.fc12, kdeplasma-addons-4.3.5-1.fc12, kdesdk-4.3.5-1.fc12, kdetoys-4.3.5-1.fc12, kdeutils-4.3.5-1.fc12, kde-l10n-4.3.5-1.fc12, oxygen-icon-theme-4.3.5-1.fc12, strigi-0.7.1-1.fc12, kdelibs-experimental-4.3.5-1.fc12, kdepimlibs-4.3.5-1.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
kde-settings-4.2-16.1, kdebase-workspace-4.3.5-2.fc11, kdelibs-4.3.5-2.fc11, kdebase-4.3.5-3.fc11, kdeaccessibility-4.3.5-1.fc11, kdeadmin-4.3.5-1.fc11, kdeartwork-4.3.5-1.fc11, kdebase-runtime-4.3.5-2.fc11, kdebindings-4.3.5-1.fc11, kdeedu-4.3.5-1.fc11, kdegames-4.3.5-1.fc11, kdegraphics-4.3.5-1.fc11, kdemultimedia-4.3.5-1.fc11, kdenetwork-4.3.5-1.fc11, kdepim-4.3.5-1.fc11, kdepim-runtime-4.3.5-1.fc11, kdeplasma-addons-4.3.5-1.fc11, kdesdk-4.3.5-1.fc11, kdetoys-4.3.5-1.fc11, kdeutils-4.3.5-1.fc11, kde-l10n-4.3.5-1.fc11, oxygen-icon-theme-4.3.5-1.fc11, strigi-0.7.1-1.fc11, kdelibs-experimental-4.3.5-1.fc11, kdepimlibs-4.3.5-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
Oops, it turns out this doesn't work properly in F11, see bug 562851. I'll have to revert the change for F11, it will be fixed only from F12 upwards.
looks good, thanks
well, it still allows suspend/hibernate - and it works, I've just killed one remote machine, oops :-)