Explanation of file - org.freedesktop.login1.policy

Question

I am using Ubuntu 16.04.

There is a file located at /usr/share/polkit-1/actions/org.freedesktop.login1.policy which seems to control the permissions regarding shutdown/suspend/hibernate options.

In this file, the revelant options are in this format:

<defaults>
  <allow_any>no</allow_any>
  <allow_inactive>auth_admin_keep</allow_inactive>
  <allow_active>yes</allow_active>
</defaults>

corresponding to every action (shutdown, suspend etc.).
Here is the full version of that file.

I want to know the meaning of allow_any, allow_inactive and allow_active options.
What do they mean exactly ?

The reason for my curiosity is that I want to hibernate non-interactively without root (from cron), but am getting authorization errors.

And it seems that those errors can be solved by modifying this file.

score 4 · Answer 1 · edited Apr 13 '17 at 12:37

This link contains the information given by the other answer in a better way.

Especially this part:

The defaults tag is where the permissions or lack thereof are located.
It contains three settings: allow_any, allow_inactive, and allow_active.
Inactive sessions are generally remote sessions (SSH, VNC, etc.) whereas active sessions are logged directly into the machine on a TTY or an X display.
allow_any is the setting encompassing both scenarios.

For each of these settings the following options are available:
no: The user is not authorized to carry out the action. There is therefore no need for authentication.
yes: The user is authorized to carry out the action without any authentication.
auth_self: Authentication is required but the user need not be an administrative user.
auth_admin: Authentication as an administrative user is require.
auth_self_keep: The same as auth_self but, like sudo, the authorization lasts a few minutes.
auth_admin_keep: The same as auth_admin but, like sudo, the authorization lasts a few minutes.

Also, here is the official manual page of polkit.

Hibernation can be made to be turned on from cron by changing the no to yes inside the allow_any tags under the actions org.freedesktop.login1.hibernate and org.freedesktop.login1.hibernate-multiple-sessions.

But this is not a recommended solution as it can be erased during future upgrades.

Instead you can make a file containing the following:

[Enable hibernate to be run via cron]
Identity=unix-user:*
Action=org.freedesktop.login1.hibernate;org.freedesktop.login1.hibernate-multiple-sessions
ResultAny=yes

named com.0.enable-hibernation-from-cron.pkla in the directory /etc/polkit-1/localauthority/50-local.d/ to achieve the same effect.

An even better solution using visudo is given here.

This is the better answer than the other one with copy-pasting man page. Great job done! — Anwar, Aug 19 '16 at 14:19
@Anwar Thanks! I accepted that answer because firstly, it made me aware about polkit without which my answer wouldn't have been possible, and secondly, accepting my own answer seemed a bit weird. — Anmol Singh Jaggi, Aug 19 '16 at 14:24
In my opinion, the correct and most accurate answer should be accepted. That helps future visitor. Since here only 2 answer is given, I see no problem. — Anwar, Aug 19 '16 at 14:29

score 3 · Accepted Answer · answered Jun 11 '16 at 10:14

3

From section DECLARING ACTIONS of polkit - Authorization Framework:

defaults

       This element is used to specify implicit authorizations for
       clients.

       Elements that can be used inside defaults includes:

       allow_any
           Implicit authorizations that apply to any client. Optional.

       allow_inactive
           Implicit authorizations that apply to clients in inactive
           sessions on local consoles. Optional.

       allow_active
           Implicit authorizations that apply to clients in active
           sessions on local consoles. Optional.

       Each of the allow_any, allow_inactive and allow_active elements can
       contain the following values:

       no
           Not authorized.

       yes
           Authorized.

       auth_self
           Authentication by the owner of the session that the client
           originates from is required.

       auth_admin
           Authentication by an administrative user is required.

       auth_self_keep
           Like auth_self but the authorization is kept for a brief
           period.

       auth_admin_keep
           Like auth_admin but the authorization is kept for a brief
           period.

I hope this makes it clear for you.

answered Jun 11 '16 at 10:14

Vombat

12,884

1

What is a session exactly ? What is the difference between active and inactive sessions ? What values do I use to solve the problem I mentioned at the end ? – Anmol Singh Jaggi Jun 11 '16 at 10:22
Are you using systemctl hibernate command? – Vombat Jun 11 '16 at 11:17
Yes. I am using that. – Anmol Singh Jaggi Jun 11 '16 at 11:20
OK I don't have that command in my system to test. What if you try the command when you are the only locally logged in user. Do you get the same error? – Vombat Jun 11 '16 at 11:22
As far as I know, I am the only logged in user. I am running it on my personal laptop. I ran w and uptime from cron and got indication of 1 user only. – Anmol Singh Jaggi Jun 11 '16 at 11:24
And if having yes in all the options? – Vombat Jun 11 '16 at 11:25
Let us continue this discussion in chat. – Vombat Jun 11 '16 at 11:29

score 0 · Answer 3 · edited Jan 16 '24 at 04:16

In Debian sid this work for me:

In /etc/polkit-1/rules.d/cron-suspend.rules file add:

polkit.addRule(function(action, subject) {
    if (subject.user == "my-user" && (action.id == "org.freedesktop.login1.suspend" || action.id == "org.freedesktop.login1.suspend-multiple-session")) {
        return polkit.Result.YES;
    }
});

Restart the service:
```
systemctl restart polkit
```

OBS: change suspend to hibernete if needed.

Explanation of file - org.freedesktop.login1.policy

3 Answers3

Linked