6

Okay, first off, this is not a problem I am facing, but I would like to understand this better.

If I wish to shutdown / reboot my machine from the command line I need to call:

$ sudo poweroff
$ sudo reboot

That is, I need root privileges to make these ACPI calls.

However, I start my DE, (I use XFCE) without granting it root privileges: $ startxfce4 --with-ck-launch

Now, I know that the --with-ck-launch parameter helps allows XFCE to shutdown / reboot my system, but I do not understand how.

What allows ConsoleKit to shutdown without root privileges? How can it change the runlevel without super-user privileges? And since it is possible, how can I shutdown my machine from the console without root privileges?

Gilles 'SO- stop being evil'
  • 807,993
  • 194
  • 1,674
  • 2,175
darnir
  • 4,429
  • 1
  • 20
  • 33

1 Answers1

3

You can communicate with ConsoleKit through dbus. For example using the dbus-send tool a few notable commands are,

Shutdown: 

dbus-send --system --print-reply --dest="org.freedesktop.ConsoleKit" /org/freedesktop/ConsoleKit/Manager org.freedesktop.ConsoleKit.Manager.Stop

Reboot:

dbus-send --system --print-reply --dest="org.freedesktop.ConsoleKit" /org/freedesktop/ConsoleKit/Manager org.freedesktop.ConsoleKit.Manager.Restart

There are also commands for hibernate and suspend but I do not know what they are.

edit: Found suspend command

dbus-send --system --print-reply --dest=org.freedesktop.Hal /org/freedesktop/Hal/devices/computer org.freedesktop.Hal.Device.SystemPowerManagement.Suspend int32:0

On newwer systems

dbus-send --system --print-reply --dest="org.freedesktop.UPower" /org/freedesktop/UPower org.freedesktop.UPower.Suspend
Alex L.
  • 171
  • 3
  • Thanks for those commands! I'll look up more on dbus and dbus-send now.. However, I still have the question, if I can make this call without root privileges isn't it a security threat? Anyone with the said knowledge could power-off my machine without root access. What I mean is that the whole point of required root privileges for calling poweroff and reboot is lost if I can make a call as such. – darnir Aug 13 '12 at 14:32
  • @darnir I'm not very familiar with the consolekit / policykit framework, but I am pretty sure there is a permissions system in place that has to do with active sessions / seats. Basically, anyone can use dbus-send to try to send messages, but only messages from the user session that is currently logged in and active will be accepted. Other users / sessions will get some sort of "authorization denied" reply if they try to do any of the above. – jw013 Aug 13 '12 at 16:04
  • 2
    @darnir There is a permissions framework built through policy kit. If you want to learn more about it read the `pklocalauthority` man page and look at the files in `/etc/polkit-1` and its sub directories. – Alex L. Aug 13 '12 at 16:06
  • @Alex thanks for your inputs. I'll look into the policykit framework and pklocalauthority. – darnir Aug 13 '12 at 17:41