liontooth
Posts: 7
Joined: Sun Oct 02, 2016 8:15 pm

Allow user to reboot

Fri Jun 22, 2018 9:55 am

Hi -

I've tried giving a non-admin nopasswd rights to reboot in visudo, but no dice:

Failed to set wall message, ignoring: Interactive authentication required.
Failed to reboot system via logind: Interactive authentication required.
Failed to open /dev/initctl: Permission denied
Failed to talk to init daemon.

Can someone please give me a working way to allow a non-root user to reboot the system in a script?

Cheers,
David

User avatar
DougieLawson
Posts: 34166
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website

Re: Allow user to reboot

Fri Jun 22, 2018 10:35 am

There's a program in the desktop GUI that lets you do that. You could hack that to work from a script.

https://github.com/lxde/lxsession/tree/ ... ion-logout

Code: Select all

/* Handler for "clicked" signal on Reboot button. */
static void reboot_clicked(GtkButton * button, HandlerContext * handler_context)
{
    GError *err = NULL;
    gtk_label_set_text(GTK_LABEL(handler_context->error_label), NULL);

    if (handler_context->ltsp)
    {
        change_root_property(GTK_WIDGET(button), "LTSP_LOGOUT_ACTION", "REBOOT");
        if (handler_context->lxsession_pid != 0)
        {
            kill(handler_context->lxsession_pid, SIGTERM);
        }
    }
    else if (handler_context->reboot_ConsoleKit)
        dbus_ConsoleKit_Reboot(&err);
    else if (handler_context->reboot_systemd)
        dbus_systemd_Reboot(&err);

	if (err)
	{
		gtk_label_set_text(GTK_LABEL(handler_context->error_label), err->message);
		g_error_free (err);
	}
	else
    {
        gtk_main_quit();
    }
}
Microprocessor, Raspberry Pi & Arduino Hacker
Mainframe database troubleshooter
MQTT Evangelist
Twitter: @DougieLawson

2012-18: 1B*5, 2B*2, B+, A+, Z, ZW, 3Bs*3, 3B+

Any DMs sent on Twitter will be answered next month.

liontooth
Posts: 7
Joined: Sun Oct 02, 2016 8:15 pm

Re: Allow user to reboot

Fri Jun 22, 2018 10:42 am

Thank you! That's a really GUI-centered script -- I'm not even running a GUI.

Why isn't the sudoer approach working? What's telling systemd to ignore sudoers?

A simple reboot works fine for user root; what does it take to give a non-root user that right?

Cheers,
David

User avatar
DougieLawson
Posts: 34166
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website

Re: Allow user to reboot

Fri Jun 22, 2018 10:55 am

Hack the GUI code, you don't need a GUI to post a dbus reboot() request.

https://www.freedesktop.org/wiki/Softwa ... md/logind/
https://www.freedesktop.org/wiki/Software/systemd/dbus/
Microprocessor, Raspberry Pi & Arduino Hacker
Mainframe database troubleshooter
MQTT Evangelist
Twitter: @DougieLawson

2012-18: 1B*5, 2B*2, B+, A+, Z, ZW, 3Bs*3, 3B+

Any DMs sent on Twitter will be answered next month.

User avatar
rpdom
Posts: 12945
Joined: Sun May 06, 2012 5:17 am
Location: Ankh-Morpork

Re: Allow user to reboot

Fri Jun 22, 2018 11:05 am

What have you tried so far in sudoers?

Using the dbus call route seems to be overcomplicating things when a simple "sudo reboot" should work with the right parameters in a sudoers file.

mfa298
Posts: 1352
Joined: Tue Apr 22, 2014 11:18 am

Re: Allow user to reboot

Fri Jun 22, 2018 12:06 pm

liontooth wrote:
Fri Jun 22, 2018 9:55 am
I've tried giving a non-admin nopasswd rights to reboot in visudo, but no dice:

Failed to set wall message, ignoring: Interactive authentication required.
Failed to reboot system via logind: Interactive authentication required.
Failed to open /dev/initctl: Permission denied
Failed to talk to init daemon.

Can someone please give me a working way to allow a non-root user to reboot the system in a script?
Those errors look like reboot was called without sudo. As the user you would still need to issue

Code: Select all

sudo reboot
If that doesn't work maybe post your sudoers rule so someone else can check it.

liontooth
Posts: 7
Joined: Sun Oct 02, 2016 8:15 pm

Re: Allow user to reboot

Fri Jun 22, 2018 12:38 pm

sudoers file -- I want to give user csa permission to reboot the system in a script, preferably specifying just the commands needed.

For testing, I also tried

csa ALL=(ALL) NOPASSWD:ALL

These additions appear to have no effect on the ability to reboot wthout providing a password.

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification -- failed attempts to allow user csa to reboot
csa ALL = NOPASSWD: /sbin/reboot, /sbin/shutdown
#%csa ALL=NOPASSWD: /bin/systemctl reboot

# Cmnd alias specification

# User privilege specification
root ALL=(ALL:ALL) ALL

# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

liontooth
Posts: 7
Joined: Sun Oct 02, 2016 8:15 pm

Re: Allow user to reboot

Sat Jun 23, 2018 12:04 am

I used

sudo -l

to see the results of changing the sudoers file and discovered a file in /etc/sudoers.d that gave user csa rights with a password; since it was included at the end, it overrode the rights given inside the sudoers file. Once I had commented out user csa in the /etc/sudoers.d file, these lines in sudoers work fine for rebooting without passwords and every other command interactively with passwords:

csa ALL=(ALL:ALL) ALL
csa ALL = NOPASSWD: /sbin/reboot

The order matters; if the permission to run reboot without a password is placed before the permission to run all commands with a password, only the latter will have an affect and the script will fail.

Thank you all for your help; I'm happy to discover the logic of the sudoers file is in fact still intact.

Cheers,
David

User avatar
rpdom
Posts: 12945
Joined: Sun May 06, 2012 5:17 am
Location: Ankh-Morpork

Re: Allow user to reboot

Sat Jun 23, 2018 6:55 am

I usually prefer to create new files for my customised entries in /etc/sudoers.d/ rather than edit the main /etc/sudoers file.

The reasoning behind this is that if the sudo package gets upgraded at any time, it may include changes the /etc/sudoers. It will notice that you have changed the file and ask you if you want to overwrite the file or keep the old one. By leaving the file as "stock", you won't be asked that question and your changes will be safe in /etc/sudoers.d/.

Return to “Advanced users”