Disable ability of users to enable lingering in systemd
Can I disable the ability of regular users to enable lingering in loginctl?
By default every user on a systemd enabled Linux can run loginctl --enable-linger and have a personal systemd instance started that starts services in userspace after reboots. I have the need to disable this capability.
man logind.conf does not show anything helpful. Every search term I can think of only leads to instructions on how to use it.
In a couple of places it has been suggested to clean the folder /var/lib/systemd/linger/ on shutdown, so they are gone when the system starts up next time. But that seems rather hacky. Is there any regular option to disable lingering?
1 answer
The following users marked this post as Works for me:
| User | Comment | Date |
|---|---|---|
| GeraldS | (no comment) | Oct 30, 2024 at 11:01 |
I managed to disable the feature via polkit. To do this I created two policy files:
/etc/polkit-1/localauthority/50-local.d/50-disable-linger-self.pkla
[disable loginctl linger self]
Identity=unix-user:*
Action=org.freedesktop.login1.set-self-linger
ResultAny=no
ResultInactive=no
ResultActive=no
/etc/polkit-1/localauthority/50-local.d/60-disable-linger-user.pkla
[disable loginctl linger user]
Identity=unix-user:*
Action=org.freedesktop.login1.set-user-linger
ResultAny=no
ResultInactive=no
ResultActive=no
This effectively disables the ability for regular users.
gerald@node:~$ loginctl enable-linger gerald
Could not enable linger: Access denied
0 comment threads
0 comment threads