Systemd has a bunch of "imply" rules on other actions....try adding the following:
[Disable more reboot actions] Identity=unix-user:* Action=org.freedesktop.login1.reboot-ignore-inhibit;org.freedesktop.login1.set-reboot-* ResultActive=no ResultInactive=no ResultAny=no -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1969593 Title: rules to prevent non-root users from rebooting not taken into account Status in policykit-1 package in Ubuntu: New Status in systemd package in Ubuntu: New Bug description: On fresh Ubuntu Jammy installation, I add a "/etc/polkit-1/localauthority/90-mandatory.d/restriction.pkla" file with the following contents : [Disable power-off] Identity=unix-user:* Action=org.freedesktop.login1.power-off ResultActive=no ResultInactive=no ResultAny=no [Disable power-off when others are logged in] Identity=unix-user:* Action=org.freedesktop.login1.power-off-multiple-sessions ResultActive=no ResultInactive=no ResultAny=no [Disable_reboot] Identity=unix-user:* Action=org.freedesktop.login1.reboot ResultActive=no ResultInactive=no ResultAny=no [Disable_reboot_when_others_are_logged_in] Identity=unix-user:* Action=org.freedesktop.login1.reboot-multiple-sessions ResultActive=no ResultInactive=no ResultAny=no It must prevent non-root users from shutdowning and rebooting the system. But it only prevent shutdowning. Rebooting is still possible for a non-root user. We can see it using pkcheck command (as a non-root user) : $ pkcheck --action-id org.freedesktop.login1.power-off --process $PPID ; echo $? Not authorized. 1 $ pkcheck --action-id org.freedesktop.login1.reboot --process $PPID ; echo $? 0 As this problem can lead to unexpected reboot on multi-users systems (a disponibilty concern), I checked the "This bug is a security vulnerability" box. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: policykit-1 0.105-33 ProcVersionSignature: Ubuntu 5.15.0-25.25-generic 5.15.30 Uname: Linux 5.15.0-25-generic x86_64 ApportVersion: 2.20.11-0ubuntu82 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: ubuntu:GNOME Date: Wed Apr 20 10:53:27 2022 InstallationDate: Installed on 2022-04-20 (0 days ago) InstallationMedia: Ubuntu 22.04 LTS "Jammy Jellyfish" - Release amd64 (20220419) ProcEnviron: TERM=xterm-256color PATH=(custom, no username) XDG_RUNTIME_DIR=<set> LANG=fr_FR.UTF-8 SHELL=/bin/bash SourcePackage: policykit-1 UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1969593/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
