我正在尝试阻止从 KDE 开始菜单重新启动 Debian 11 计算机。但是以下策略不起作用:
[michael@vps /etc/polkit-1/rules.d]> cat /etc/polkit-1/rules.d/10-admin-shutdown-reboot.rules
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.login1.power-off" ||
action.id == "org.freedesktop.login1.power-off-ignore-inhibit" ||
action.id == "org.freedesktop.login1.power-off-multiple-sessions" ||
action.id == "org.freedesktop.login1.reboot" ||
action.id == "org.freedesktop.login1.reboot-ignore-inhibit" ||
action.id == "org.freedesktop.login1.reboot-multiple-sessions" ||
action.id == "org.freedesktop.login1.set-reboot-parameter" ||
action.id == "org.freedesktop.login1.set-reboot-to-firmware-setup" ||
action.id == "org.freedesktop.login1.set-reboot-to-boot-loader-menu" ||
action.id == "org.freedesktop.login1.set-reboot-to-boot-loader-entry" ||
action.id == "org.freedesktop.login1.suspend" ||
action.id == "org.freedesktop.login1.suspend-ignore-inhibit" ||
action.id == "org.freedesktop.login1.suspend-multiple-sessions" ||
action.id == "org.freedesktop.login1.hibernate" ||
action.id == "org.freedesktop.login1.hibernate-ignore-inhibit" ||
action.id == "org.freedesktop.login1.hibernate-multiple-sessions"
) {
return polkit.Result.AUTH_ADMIN;
}
});
pkcheck -u -p $$ -a org.freedesktop.login1.reboot; echo $?如果在 ssh 会话中运行,则返回 2(预期),但如果在通过 SDDM 登录的物理机上,则返回 0。我的配置有什么问题?
答案1
Debian 11 及更早版本中的 polkit 软件包不支持基于 JavaScript 的规则。Debian 维护了一个补丁,用较旧的配置格式替换了 JS 格式的规则引擎.pkla。
在这种格式下,规则将如下所示:
[Require authentication for shutdown]
Identity=unix-user:*
Action=org.freedesktop.login1.power-off*;org.freedesktop.login1.reboot*
ResultAny=auth_admin
ResultInactive=auth_admin
ResultActive=auth_admin
看pklocalauthority(8)用于格式文档。
答案2
挂起的 GUI 似乎来自缺少身份验证代理。我使用它return polkit.Result.NO;,它按预期工作。还删除了包pkexec、policykit-1和polkitd-pkla。