# xorg user can reboot despite root logged in console

## CaptainBlood

consolekit installed here for a long time.

I've quit for elogind.

Prior to such changes, rebooting from xorg (LXDE) was refrained if root was logged in somewhere, e.g. in console.

A GUI prompt was requesting root password to confirm execution.

It's no longer the case, which bothers me as a bad twist to unix principles.

I really need some help there to bring this logic back.

the polkit rules seems quite empty, may be that's the reason why....

Thks 4 ur attention.

----------

## dmpogo

 *CaptainBlood wrote:*   

> consolekit installed here for a long time.
> 
> I've quit for elogind.
> 
> Prior to such changes, rebooting from xorg (LXDE) was refrained if root was logged in somewhere, e.g. in console.
> ...

 

Is just forbidding non-root reboot an overkill in your situation ?

----------

## Yamakuzure

 *CaptainBlood wrote:*   

> Prior to such changes, rebooting from xorg (LXDE) was refrained if root was logged in somewhere, e.g. in console.
> 
> A GUI prompt was requesting root password to confirm execution.
> 
> It's no longer the case, which bothers me as a bad twist to unix principles.
> ...

 I am using Plasma, but that should make no difference.

When I try to reboot via konsole while root is logged in somewher, I get:

```
 ~ $ loginctl reboot

User root is logged in on tty3.

Please retry operation after closing inhibitors and logging out other users.

Alternatively, ignore inhibitors and users with 'loginctl reboot -i'.
```

So the default polkit rules do apply. Both loginctl from elogind and systemctl from systemd allow to ignore inhibitors, but the poweroff system of a DE shouldn't really do that by default.

I'll see what Plasma does when I use the regular shutdown button of the start menu...

Edit: Wow. I just tried and Plasma simply shut down despite root being logged in.   :Shocked: 

----------

## CaptainBlood

Guess it's time to revisit authentication/security stack here.

Although I feel quite ignorant thus very unconfortable about it.

Thks 4 ur attention, interest & support.

----------

## CaptainBlood

Here's

```
luc@amd64 ~ $ loginctl

SESSION  UID USER SEAT  TTY 

      4 1000 luc  seat0     

      5    0 root seat0 tty1

2 sessions listed.

luc@amd64 ~ $ loginctl reboot 

User root is logged in on tty1.

Please retry operation after closing inhibitors and logging out other users.

Alternatively, ignore inhibitors and users with 'loginctl reboot -i'.
```

However reboot request from LXDE menu is honored.

Any idea what I'm missing?

Thks 4 ur attention.

----------

## CaptainBlood

```
x11-base/xorg-server

     Installed versions:  1.20.7(0/1.20.7)(11:53:00 17/02/2020)(elogind udev wayland xorg xvfb -debug -dmx -doc -ipv6 -kdrive -libglvnd -libressl -minimal -selinux -static-libs -suid -systemd -unwind -xcsecurity -xephyr -xnest)
```

Could the issue be related to

```
grep keeptty /var/log/Xorg.0.log

[    34.453] (II) systemd-logind: logind integration requires -keeptty and -keeptty was not provided, disabling logind integration
```

Thks 4 ur attention, interest & support.

----------

## CaptainBlood

 *dmpogo wrote:*   

> Is just forbidding non-root reboot an overkill in your situation ?

 

Yes it is, somehow.

Thks 4 ur attention, interest & support

----------

## CaptainBlood

 *dmpogo wrote:*   

> Is just forbidding non-root reboot an overkill in your situation ?

 To be more precise, yes in an ideal world, as consolekit like behavior is expected.

I'm still interested in any proposal, as it might help my understanding.

Trying gdm instead of sddm enables -keeptty for xorg-server, which didn't help though.

Thks 4 ur attention, interest & support.

----------

