2y ago

How do you disable machinectl entirely?

I’m mostly interested in disabling the command to create a root shell ‘machinectl shell @root’. Attempting to ‘systemctl disable systemd-machined’ doesn’t work.

Edit:

After some more poking, it seems polkit is the way to do it. Create the file /etc/polkit-1/rules.d/10-deny-machinectl.rules and add the following

        polkit.addRule(function(action, subject) {
       if (action.id.startsWith("org.freedesktop.machine1.")) {
             return polkit.Result.NO;
       }
    });

The list of all actions you can filter on are in /usr/share/polkit-1/actions/org.freedesktop.machine1.policy

3 comments

I didn't find a way to disable the command but in this discussion they seem to change it to request the root password:
https://github.com/systemd/systemd/issues/2799
I didn't even know about machinectl. Thank you
- The worst is that if the ‘wheel’ group is empty, it will give a root shell to absolutely anyone.