我使用的是 Ubuntu 16.04。
有一个文件/usr/share/polkit-1/actions/org.freedesktop.login1.policy
似乎控制有关关闭/挂起/休眠选项的权限。
在该文件中,相关选项的格式如下:
<defaults>
<allow_any>no</allow_any>
<allow_inactive>auth_admin_keep</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
对应于每个操作(关闭、暂停等)。
这里是该文件的完整版本。
allow_any
我想知道和allow_inactive
选项的含义allow_active
。
它们到底是什么意思?
我好奇的原因是我想在没有 root 的情况下非交互地休眠(来自 cron),但是我得到了授权错误。
看来这些错误可以通过修改这个文件来解决。
答案1
尤其是这一部分:
默认标签是权限或缺乏权限所在的位置。
它包含三个设置:allow_any
、allow_inactive
和allow_active
。
非活动会话通常是远程会话(SSH、VNC 等),而活动会话则通过 TTY 或 X 显示器直接记录到计算机中。
allow_any
是包含这两种情况的设置。对于每个设置,都可以使用以下选项:
no: The user is not authorized to carry out the action. There is therefore no need for authentication. yes: The user is authorized to carry out the action without any authentication. auth_self: Authentication is required but the user need not be an administrative user. auth_admin: Authentication as an administrative user is require. auth_self_keep: The same as auth_self but, like sudo, the authorization lasts a few minutes. auth_admin_keep: The same as auth_admin but, like sudo, the authorization lasts a few minutes.
还,这里是 polkit 的官方手册页。
通过将actions和下的标签内的更改no
为,可以从 cron 打开休眠功能。 yes
allow_any
org.freedesktop.login1.hibernate
org.freedesktop.login1.hibernate-multiple-sessions
但这不是推荐的解决方案因为它可以在将来的升级过程中被删除。
相反,您可以创建一个包含以下内容的文件:
[Enable hibernate to be run via cron]
Identity=unix-user:*
Action=org.freedesktop.login1.hibernate;org.freedesktop.login1.hibernate-multiple-sessions
ResultAny=yes
com.0.enable-hibernation-from-cron.pkla
在目录中命名/etc/polkit-1/localauthority/50-local.d/
可以达到同样的效果。
visudo
给出了更好的解决方案这里。
答案2
来自部分宣布行动的polkit - 授权框架:
默认值
This element is used to specify implicit authorizations for clients. Elements that can be used inside defaults includes: allow_any Implicit authorizations that apply to any client. Optional. allow_inactive Implicit authorizations that apply to clients in inactive sessions on local consoles. Optional. allow_active Implicit authorizations that apply to clients in active sessions on local consoles. Optional. Each of the allow_any, allow_inactive and allow_active elements can contain the following values: no Not authorized. yes Authorized. auth_self Authentication by the owner of the session that the client originates from is required. auth_admin Authentication by an administrative user is required. auth_self_keep Like auth_self but the authorization is kept for a brief period. auth_admin_keep Like auth_admin but the authorization is kept for a brief period.
我希望这能让你清楚。
答案3
在 Debian sid 中,这对我有用:
在
/etc/polkit-1/rules.d/cron-suspend.rules
文件中添加:polkit.addRule(function(action, subject) { if (subject.user == "my-user" && (action.id == "org.freedesktop.login1.suspend" || action.id == "org.freedesktop.login1.suspend-multiple-session")) { return polkit.Result.YES; } });
重新启动服务:
systemctl restart polkit
OBS:如果需要的话更改suspend
为hibernete
。