Re: Reasons for rights policies, political or technical ? Was : Re: pm-hibernate as user
On 12/19/2012 04:58 PM, berenger.morel@neutralite.org wrote:
>
>
> Le 19.12.2012 16:25, Hugo Vanwoerkom a écrit :
>> Michael Biebl wrote:
>>> On 19.12.2012 01:04, Hugo Vanwoerkom wrote:
>>>> Michael Biebl wrote:
>>>>> On 19.12.2012 00:34, berenger.morel@neutralite.org wrote:
>>>>>> Except using sudo, I know no solution... sadly.
>>>>>> Maybe you can do something with policykit, too, I never tried to
>>>>>> understand how it works, but I think giving rights to some
>>>>>> softwares is its role.
>>>>> sudo is one option, the other is to use upower (which runs as system
>>>>> daemon with root privileges) and use a command like this
>>>>>
>>>>>
>>>>> $ dbus-send --print-reply \
>>>>> --system \
>>>>> --dest=org.freedesktop.UPower \
>>>>> /org/freedesktop/UPower \
>>>>> org.freedesktop.UPower.Suspend
>>>>>
>>>>>
>>>> This related to LXDE which I am trying out. The hibernate and
>>>> suspend buttons do nothing in the logout menu. Googling says that
>>>> LXDE uses pm-utils. So I was guessing that invoking
>>>> pm-hibernate/suspend was involved, which I can do as root but not as
>>>> user.
>>> Since the user session runs unprivileged, and pm-suspend/pm-hibernate
>>> need to run as root, you will need to go through a system service like
>>> upower.
>>> I know nothing about LXDE, but e.g. in GNOME, the power manager simply
>>> sends the above dbus requests when you hit the suspend button or close
>>> the lid.
>>> I would expect LXDE provides a similar user power management agent.
>>>
>>>
>>
>> Indeed. I found this:
>> https://wiki.archlinux.org/index.php/PolicyKit#Suspend_and_hibernate
>>
>> Follow that and addgroup power and adduser to power and you can now
>> hibernate and suspend.
>>
>> Hugo
>
> A bit out of topic, but I wonder why there is no other solution than
> using dbus to let a user shutdown/hibernate/suspend his computer? This
> is not the only point where the problem apply: you have same troubles
> with network, and maybe on other things I did not experiment (to add
> softwares and/or modify system-wide configuration files, I think it is
> perfectly normal to need root, because no normal user does those actions
> everyday).
>
> Of course, there are workarounds, with dbus, sudo...
> Of course, the way things are actually done is nice for enterprises,
> which need a high security level, at least for servers.
>
> But, in my humble opinion, linux should not be reserved for enterprises,
> some people uses it at home, for pleasure (like me) and this
> over-security is counter-productive: I am switching to root quite often,
> for things as simple as asking to renew my IP address on a network,
> suspend my computer, changing wifi network I am using (if I am in a
> friend's home, at work, in a "cybercafe" (don't know english name,
> sorry)...).
> This results in having a quasi-permanent root console enabled on my
> system, which is not really safe (I enabled a special colored prompt to
> avoid doing mistakes there ;) ).
>
> I could use the workarounds, yes, but I tend to prefer minimalist
> systems, and I do not really know where dbus is needed on my computer:
> my softwares usually do not need to communicate, except for copy/paste,
> but this is done through X11 AFAIK.
> As I prefer minimalist things (no true desktop environment, by example)
> I did not install policykit, because:
> _ I can do everything I need without it. Only "simple" things are more
> boring: power and network management in my situation
> _ I do not understand how it works (and because it is not needed and I
> have many other things more important to learn, I do not want to learn
> about it for now)
>
> I can understand the interest, for enterprises, which is probably where
> linux is the most widely used, but is it only political reasons, or is
> there is a technical limitation?
> In the first situation, it could be interesting to provide a way for
> simple users to control their computers. I am seeing linux as a system
> for tinkerers and people who like to have choices. And on those things,
> there are no real choices: root or dbus. Even windows is able to
> shutdown a computer with a command made by basic user (shutdown IIRC).
Linux is designed to be a multi-user system. This means, that
system-access is strictly denied to normal users. It makes linux safe.
You could easily configure sudo to do exactly what you want: Running
commands with elevated rights ... without root access for all commands
and without a separate passoword. I have configured an own shutdown
script with sudo myself and use pmount for mounting devices as normal
user. And for administration (I also like to tinker with my system) I
simply use a "su" to become root -- why would that be difficult? On
Windows you first need to create a shortcut and then "Run as
administrator" and even then you are not able to e.g. delete everything
you want.
> The strange point is that you have physical access to switches allowing
> you to poweroff your computer (and network: for wifi, you often have a
> button, for wired you can unplug the cable), but you need special
> password to ask a new IP or shutdown correctly the computer?
> Well, to shutdown the computer, you can also switch to TTYs, and do
> CTRL+ALT+SUPPR to reboot. Then, use the button... Err... simple...
True, but I rather have an overall-safe system and that shutdown-issue
than an insecure system.
> I remember some article about Linus Torvalds complaining about the
> over-security in distros, needing to use root account for most actions.
> I do not agree on all of his words, but on that point, I have to admit
> that for my usage, those points are simply boring.
> Of course, I know that it is needed for other people in various
> situations (poweroff on a distant computer with user access could be a
> big problem by example) but what I would like to know is, is there any
> technical reasons to avoid users to shutdown a computer, or use
> ifconfig, ifup and ifdown tools?
I think it is implied by the multi-user approach: If another user was
logged in at your computer (e.g. over ssh) and you just disabled network
they would lose connection.
Reply to: