Bugzilla – Bug 1166
no "reboot" or "shutdown" buttons in gdm
Last modified: 2009-03-09 18:21:57 UTC
You need to log in before you can comment on or make changes to this bug.
Steps to reproduce: Install Indiana and boot it. Actual result: You'll see GDM which provides you a field to type in login and password, "OK" button, "Start Again" button and "Options" button, which allows you to choose language and session type. But there is no way to shut down or reboot machine; to do this, you have to log in and invoke reboot/shutdown via menu or commandline. Expected Results: two more buttons or "actions" menu Additional info: Ability to reboot or shutdown from GDM is really useful (possible scenarios: user pressed "log out" instead of "shut down", or user wants to switch off machine because she booted it up unintentionally, ...) Build date and Platform: OpenSolaris RC0, assembled April 7, 2008
keyword: sst-osp
*** Bug 1880 has been marked as a duplicate of this bug. ***
Raising the priority of this bug since it's desired to have it fixed for the next OS release.
These two sysmenus buttons are disabled by default on Solaris. Turning on them by default might be not a good idea in multi-user enviroment. If we show these 2 buttons on login screen, user itself doesn't need any authentication. He just clicks and then shutdown. This behaviour doesn't seem to meet with rule "Security by default".
Note that on Solaris GDM uses RBAC to decide whether to display the Shutdown and Reboot commands. To allow the gdm user to be able to shutdown the machine, you need to provide an entry like the following in the /etc/user_attr file: gdm::::type=normal;auths=solaris.system.shutdown Once this is done, the Shutdown and Reboot options should become available in the GDM login GUI.
In a single user desktop or laptop use case I would say that having the buttons for shutdown/suspend enabled by default would be a good thing. However as Simon pointed out in a multi-user environment this would be a bad thing. Consider a student lab or trading floor full of OpenSolaris systems, in this case we probably do not want unauthenticated users shutting down systems. We shouldn't ask questions about this during install so we have to pick a default that makes that majority happy. Given the current focus for the OpenSolaris binary release is developers I'm leaning slightly towards enabling the buttons.
Enable the buttons please.. Any large scale deployment such as the one about the student lab you described would have a System Admin who could disable this if they so wished. Regards, Edward.
Would it be possible to set the default to display the buttons on statically defined displays (like the :0 on console) but not on dynamically added displays (like Sun Rays, or logins as additional users once VT's land)?
Alan, I don't think there is an easy way to tell which $DISPLAY is the main "console" display once VT lands. I suppose GDM could just assume that the first display it starts is the main console, but I'm not sure that would always be accurate. I'd think it would make more sense to just make use of the new "Workstation Owner" RBAC role as defined in PSARC 2008/034 to know when to enable this or not. This way it would be available just for the "console" user, regardless of what VT they are on - but not available to Sun Ray or XDMCP users. However, Gary Winiger from the security team has told us that turning on this feature by default would violate Solaris security policy. Gary had this to say: The Solaris policy that must be maintained for evaluation purposes is that no security relevant actions may taken other than Identification and Authentication (I&A) before a successful I&A. If this RFE is to present shutdown and suspend buttons before successful I&A, it seems to me it is in conflict with that policy. How will such a conflict be resolved? According to Gary, we would need a waiver if we want to break this policy. I'm currently looking into what is specifically involved with getting such a waiver and whether that would be possible.
I believe that this issue should get resolved by the PSARC/2008/034 "Workstation Owner" case. I believe that when GDM is running on the Console, it should have the "Workstation Owner" privileges. It seems to make the most sense to provide this feature by just ensuring that the consoleowner, by default, as the right solaris.system.shutdown authorization. I believe Simon Zheng is working with Gary Winiger about this. Simon, any update?
See also bugs 2173 and 3571. Erwann, could the desktop team please look at this given Brian's comment below? Is there something else that's preventing this buttons from appearing on the GDM screen?
David, when you say "anything else" what do you mean? From a technical aspect, adding the solaris.system.shutdown RBAC authorization to the "gdm" user is a fairly trivial change. To me it seems the main blockage is Sun's security policy itself. Gary Winiger is pretty clear that we need a security waiver to turn on any feature that requires RBAC authorizations before any actual user authentication. I did express some home that when "Console Owner" integrates that it might resolve the problem. However, I'm not sure of that. I'm not sure if the "gdm" user will be considered the "Console Owner" when the login screen is displaying or not. If so, then this could resolve our problem if the default Console Owner setup can allow shutdown to be on by default. This may not be possible, though, since it would probably likewise violate Sun's security policies. Since Gary Winiger also owns the Console Owner ARC case, he's probably a good person to talk to to figure out the best way to resolve this issue, or to pursue getting a waiver if one is desired.
I mean to say "I did express some hope" instead of "I did express some home". Another suggestion that has been discussed to work around the security policy would be for the user to be required to enter the username/password of a user which does have solaris.system.shutdown authorization (such as the root user) before the shutdown/reboot operation will take affect. However, this approach suffers since the main benefit of providing these buttons directly on the GDM screen is to save the user the time from logging into their session in order to shutdown/reboot their session. Having to enter a username and password obviously reduces this benefit.
At this point, we're not going to stop the release in order to fix this. It will be added at an explicit requirement for the spring release in 2009.
Setting this priority to reflect reality with respect to the next release.