文件说明 - org.freedesktop.login1.policy

tag-icon tag-icon systemd power-management shutdown authorization polkit
文件说明 - org.freedesktop.login1.policy

我使用的是 Ubuntu 16.04。

有一个文件/usr/share/polkit-1/actions/org.freedesktop.login1.policy似乎控制有关关闭/挂起/休眠选项的权限。

在该文件中,相关选项的格式如下:

<defaults>
  <allow_any>no</allow_any>
  <allow_inactive>auth_admin_keep</allow_inactive>
  <allow_active>yes</allow_active>
</defaults>

对应于每个操作(关闭、暂停等)。
这里是该文件的完整版本。

allow_any我想知道和allow_inactive选项的含义allow_active
它们到底是什么意思?

我好奇的原因是我想在没有 root 的情况下非交互地休眠(来自 cron),但是我得到了授权错误

看来这些错误可以通过修改这个文件来解决。

答案1

这个链接包含由给出的信息另一个答案以更好的方式。

尤其是这一部分:

默认标签是权限或缺乏权限所在的位置。
它包含三个设置:allow_anyallow_inactiveallow_active
非活动会话通常是远程会话(SSH、VNC 等),而活动会话则通过 TTY 或 X 显示器直接记录到计算机中。
allow_any是包含这两种情况的设置。

对于每个设置,都可以使用以下选项:

no: The user is not authorized to carry out the action. There is therefore no need for authentication.
yes: The user is authorized to carry out the action without any authentication.
auth_self: Authentication is required but the user need not be an administrative user.
auth_admin: Authentication as an administrative user is require.
auth_self_keep: The same as auth_self but, like sudo, the authorization lasts a few minutes.
auth_admin_keep: The same as auth_admin but, like sudo, the authorization lasts a few minutes.

还,这里是 polkit 的官方手册页。

通过将actions和下的标签内的更改no为,可以从 cron 打开休眠功能。 yesallow_anyorg.freedesktop.login1.hibernateorg.freedesktop.login1.hibernate-multiple-sessions

但这不是推荐的解决方案因为它可以在将来的升级过程中被删除。

相反,您可以创建一个包含以下内容的文件:

[Enable hibernate to be run via cron]
Identity=unix-user:*
Action=org.freedesktop.login1.hibernate;org.freedesktop.login1.hibernate-multiple-sessions
ResultAny=yes

com.0.enable-hibernation-from-cron.pkla在目录中命名/etc/polkit-1/localauthority/50-local.d/可以达到同样的效果。

visudo给出了更好的解决方案这里

答案2

来自部分宣布行动polkit - 授权框架:

默认值

       This element is used to specify implicit authorizations for
       clients.

       Elements that can be used inside defaults includes:

       allow_any
           Implicit authorizations that apply to any client. Optional.

       allow_inactive
           Implicit authorizations that apply to clients in inactive
           sessions on local consoles. Optional.

       allow_active
           Implicit authorizations that apply to clients in active
           sessions on local consoles. Optional.

       Each of the allow_any, allow_inactive and allow_active elements can
       contain the following values:

       no
           Not authorized.

       yes
           Authorized.

       auth_self
           Authentication by the owner of the session that the client
           originates from is required.

       auth_admin
           Authentication by an administrative user is required.

       auth_self_keep
           Like auth_self but the authorization is kept for a brief
           period.

       auth_admin_keep
           Like auth_admin but the authorization is kept for a brief
           period.

我希望这能让你清楚。

答案3

在 Debian sid 中​​,这对我有用:

  1. /etc/polkit-1/rules.d/cron-suspend.rules文件中添加:

    polkit.addRule(function(action, subject) {
    if (subject.user == "my-user" && (action.id == "org.freedesktop.login1.suspend" || action.id == "org.freedesktop.login1.suspend-multiple-session")) {
        return polkit.Result.YES;
    }
});

  2. 重新启动服务:

    systemctl restart polkit

OBS:如果需要的话更改suspendhibernete

相关内容