[sf-lug] sudo abuse, suspend/shutdown, and polkit

[Akkana Peck]

Anybody understand how to configure polkit, specifically under Debian?

I wrote recently in the sudo abuse discussion:
> I've configured some of these not to need sudo, and this discussion
> inspired me to look up a few more, and to start a collection of some
> ways to configure the system so as to need root for fewer of the
> common user actions:

So, one of those new tricks I *thought* I'd learned was to use
systemctl poweroff, reboot and suspend instead of poweroff, reboot
and pm-suspend, and that supposedly, if I added myself to the
"power" group (which I had to create, there's no such default
group on Debian), those would automagically work without needing root.

It worked on the first machine where I tried it (a laptop running
Debian testing), woohoo! But then it turned out it didn't work on
my desktop, also running Debian testing; and it doesn't work on
Raspbian either. And I can't find any useful documentation on how
these polkit rules work or on how to tell which rule is being invoked.

$ systemctl suspend                                                 ~
Failed to suspend system via logind: Access denied
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ===
Authentication is required to start 'suspend.target'.
Authenticating as: root
Password:

I grepped around for org.freedesktop.systemd1.manage-units and found
it in /usr/share/polkit-1/actions/org.freedesktop.systemd1.policy.
If I edit that file and change the allow_active rule to yes,
I get a different error:

$ systemctl suspend                                                 ~
Failed to suspend system via logind: Access denied
Failed to start suspend.target: Unit suspend.target is masked.

I have no idea what "target is masked" means.
I've set all the various suspend targets in
/usr/share/polkit-1/actions/org.freedesktop.login1.policy
to <allow_active>yes</allow_active>, and
$ loginctl show-session $XDG_SESSION_ID --property=Active
says my session is active (whatever that means).

I've also tried creating
/etc/polkit-1/localauthority.conf.d/85-suspend.rules
and adding the rule shown here:
https://stijn.tintel.eu/blog/2015/09/11/polkit-requesting-root-password-to-suspend-after-updating-version-0112-to-0113
(I picked that localauthority.conf.d directory semi-randomly:
Debian's polkit setup has a huge slew of directories and there
seems to be no documentation anywhere as to what they mean.
Most polkit discussions on the net assume there's just a single
/etc/polkit-1/rules.d.)

I've compared the /etc/polkit-1 and /usr/share/polkit-1 directories
between the two machines. /etc/polkit-1 is the same; /usr/share/polkit-1
has some differences but they mostly relate to packages that are
installed on one system but not the other. I haven't found any
differences that look like they should be directly related to suspend.

Any suggestions on how to proceed with debugging this polkit stuff?

        ...Akkana