diff options
Diffstat (limited to 'etc/polkit-1/rules.d/52-systemd-local-only.rules')
| -rw-r--r-- | etc/polkit-1/rules.d/52-systemd-local-only.rules | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/etc/polkit-1/rules.d/52-systemd-local-only.rules b/etc/polkit-1/rules.d/52-systemd-local-only.rules new file mode 100644 index 0000000..bcfd347 --- /dev/null +++ b/etc/polkit-1/rules.d/52-systemd-local-only.rules @@ -0,0 +1,12 @@ +// Restrict systemd unit management via polkit to active local sessions. +// Wheel-via-sudo-rs is unaffected (sudoers is a separate authorisation +// path). Stops a remote SSH session (no `subject.local`) or a background +// non-active session from start/stop/restart/reload of system units via +// the polkit gate. +polkit.addRule(function (action, subject) { + if (action.id.indexOf("org.freedesktop.systemd1.") === 0) { + if (!subject.local || !subject.active) { + return polkit.Result.NO; + } + } +}); |