If you are connecting to an X Window session on one machine remotly from another machine running X Windows then by default you will not be able to shut down or reboot the system from the login screen, and will have to enter a password to shut down or reboot the system when logging out.
This is intentional, after all it would be not be a good thing if anyone could just shutdown a linux server just by making a connection to the display manager and selecting shutdown or for a user to be able to shut down the system if someone else was using it! However, sometimes is can be very convenient to be able to do so, such as when connecting remotely to a Raspberry that does not have a screen attached.
These actions are controlled by ‘policykit’ and we can change the defaults by creating a couple of additional rules or modifying the policy file.
Before we can edit anything we need to be running as root.
$ su Password:
$ sudo -i Password:
Creating New Policy Rules
By default ‘policykit’ should look for additional rules in ‘/var/lib/polkit-1/localauthority/’ and apply these in the correct order. To allow ordinary users to shut down or reboot the system once they are logged in we need to make sure that all users can do so, and to allow the system to be shut down or rebooted from the remote login screen we need to make sure that the display manager do so as well (the user name used by the display manager depends on the display manager used, in this case I’m using ‘lightdm’).
# vi /var/lib/polkit-1/localauthority/50-local.d/\ > enable-lightdm-shutdown.pkla
[Enable Shutdown] Identity=unix-user:lightdm;unix-group:users Action=org.freedesktop.consolekit.system.stop;org.freedesktop.consolekit.system.stop-multiple-users ResultAny=yes ResultInactive=yes ResultActive=yes
# vi /var/lib/polkit-1/localauthority/50-local.d/\ > enable-lightdm-reboot.pkla
[Enable Reboot] Identity=unix-user:lightdm;unix-group:users Action=org.freedesktop.consolekit.system.restart;org.freedesktop.consolekit.system.restart-multiple-users ResultAny=yes ResultInactive=yes ResultActive=yes
You can combine both these rules in a single file, all that matters is where it is and that it ends in ‘.pkla’.
Unfortunately when I upgraded to latest version of Raspbian I noticed that these two rules stopped working and I have not been able to discover why, though I suspect either the folder these files should be in has moved, or the name of the action in the rule has changed (adding the actions from the the policy file in the next section doesn’t work). In trying to work out what is wrong I have however discovered that I can update the policy file directly, and though this is not encouraged it seems to work (for now).
Modify Existing Policy
The current policy is defined in an XML file, editing this file allows us to change the way the system behaves in a similar way to the two rules above.
# vi /usr/share/polkit-1/actions/org.freedesktop.login1.policy
Find the two sections below and make the changes highlighted.
<action id="org.freedesktop.login1.power-off-multiple-sessions"> <description>Power off the system while other users are logged in</description> <message>Authentication is required for powering off the system while other users are logged in.</message> <defaults> <allow_any>yes</allow_any> <allow_inactive>yes</allow_inactive> <allow_active>yes</allow_active> </defaults> <annotate key="org.freedesktop.policykit.imply">org.freedesktop.login1.power-off</annotate> </action>
<action id="org.freedesktop.login1.reboot-multiple-sessions"> <description>Reboot the system while other users are logged in</description> <message>Authentication is required for rebooting the system while other users are logged in.</message> <defaults> <allow_any>yes</allow_any> <allow_inactive>yes</allow_inactive> <allow_active>yes</allow_active> </defaults> <annotate key="org.freedesktop.policykit.imply">org.freedesktop.login1.reboot</annotate> </action>
Note - I've left out some lines above to make it easier to see what needs to be changed.
These changes should take effect immediately, on my system I didn't even need to restart the display manager.
Raspberry Pi is a trademark of the Raspberry Pi Foundation