How to Shutdown and Reboot in XFCE4

How to Shutdown and Reboot in XFCE4
For the Practical Man



Description and Reason:
You just installed XFCE4 for FreeBSD but can't shutdown or reboot. Errors would show up that look like this:

[font="Courier New"]org.freedesktop.hal.power-management.shutdown no <-- (action, result)
org.freedesktop.hal.power-management.reboot no <-- (action, result)[/font]​

You're getting these errors because PolicyKit is reporting to the system that you don't have the authorization to do the requested action.


Quick Fix:
Allow all users to shutdown and reboot:
# polkit-action --set-defaults-any org.freedesktop.hal.power-management.shutdown yes
# polkit-action --set-defaults-any org.freedesktop.hal.power-management.reboot yes


Fix:
This will involve two commandline tools used for PolicyKit administration: polkit-action(1) and polkit-auth(1). Lets familiarize ourselves with these tools just enough so that we can figure out how to solve our problem. By the way, I always have HAL and DBUS enabled in my /etc/rc.conf. I don't know if it's required but lets just say that it is, because my keyboard and mouse dies if I disable them. Okay, lets continue.




polkit-action(1):
This is used to control the policies of each action; actions such as shutdown and reboot.


List actions supported by PolicyKit:
$ polkit-action


Get details of an action:
$ polkit-action --action ACTION
ACTION is one of the actions listed from invoking the command with no arguments.​


Change the policy of an action:
# polkit-action --set-defaults-any ACTION VALUE
ACTION is one of the actions listed from invoking the command with no arguments.​
VALUE can be one of several values, but we'll only concern ourselves with two of them: [font="Courier New"]yes[/font] and [font="Courier New"]auth_admin_keep_always[/font]. Use the former if you want to allow anyone to perform the action. Use the latter if only administrators are allowed. [font="Courier New"]auth_admin_keep_always[/font] will require you to authenticate yourself as a member of the wheel group (check /usr/local/etc/PolicyKit/PolicyKit.conf for [font="Courier New"]define_admin_auth[/font]). The "keep always" part means you'll only have to authenticate once. We'll get to authentication in a bit.​


Reset an action to its default policy:
# polkit-action --reset-defaults ACTION
ACTION is one of the actions listed from invoking the command with no arguments.​


List actions that aren't using their default policy:
$ polkit-action --show-overrides


That's all you need to know about polkit-action(1). If you used [font="Courier New"]yes[/font] as the value for the [font="Courier New"]--set-defaults-any[/font] option, you're done! The changes should be immediate. You don't need to reboot, you don't even need to logout->login. However, if you've chosen [font="Courier New"]auth_admin_keep_always[/font], continue reading.




polkit-auth(1):
This is used to authenticate yourself to PolicyKit. You don't need to use sudo or become root, so you should log in as the user trying to authenticate.


List actions you're allowed to perform:
$ polkit-auth
If you get an error like this:
[font="Courier New"][WARN XXXX] Cannot lookup information for pid XXXX: No such file or directory
polkit-auth: This operation requires the system message bus and ConsoleKit to be running[/font]​
You'll need to mount procfs by doing the following:
1) Add [font="Courier New"]proc /proc procfs rw 0 0[/font] to your /etc/fstab
2) [font="Courier New"]# mount /proc[/font]​


List actions that require authentication:
$ polkit-auth --show-obtainable


Authenticate for an action:
$ polkit-auth --obtain ACTION
ACTION is one of the actions listed from [font="Courier New"]$ polkit-auth --show-obtainable[/font]. After successful authentication, the action will appear when you invoke [font="Courier New"]$ polkit-auth[/font] and disappear from [font="Courier New"]$ polkit-auth --show-obtainable[/font].​


Revoke authentication:
$ polkit-auth --revoke ACTION
ACTION is one of the actions listed from invoking [font="Courier New"]$ polkit-auth[/font]. After this command, the action will appear back in the list given by the [font="Courier New"]--show-obtainable[/font] option.​


That's it! This started out as a guide for shutdown and reboot, but it's really about basic PolicyKit administration. At this point, the commands under "quick fix" should be clear. You should also have an idea on how to enable other PolicyKit controlled actions such as auto-mounting. Try it!
 
It looks like you're doing the equivalent of adding
Code:
<match user="myuser">
  <return result="yes"/>
</match>

to PolicyKit.conf. I'm not convinced this is easier, but it's interesting to see an alternative.
 
That's about what I did: change the XML file and put my account in the proper group.
 
wblock said:
It looks like you're doing the equivalent of adding
Code:
<match user="myuser">
  <return result="yes"/>
</match>

to PolicyKit.conf. I'm not convinced this is easier, but it's interesting to see an alternative.

DutchDaemon said:
That's about what I did: change the XML file and put my account in the proper group.

It's a little bit more involved, especially if you're the only user on the system. I still prefer this method though because there's no need to remember where the PolicyKit.conf is when you need to edit a policy, and you don't have to worry about correct syntax or typographical errors or even being in the proper group (if you used [font="Courier New"]yes[/font] as the value to [font="Courier New"]--set-defaults-any[/font]).
 
I am the only user on my system (laptop), and that's all I did to get XFCE to reboot/shutdown. Really. And there's nothing remotely complex about it ..
 
wblock said:
It looks like you're doing the equivalent of adding
Code:
<match user="myuser">
  <return result="yes"/>
</match>

Currently I have to do this for every user account added to the system.

Is there a way of returning result="yes" for any user which is part of the operator group for example?
 
kpedersen said:
Currently I have to do this for every user account added to the system.

Is there a way of returning result="yes" for any user which is part of the operator group for example?

Doesn't look like it. Best I've found so far is to "or" the usernames:
Code:
<match user="jsmith|ksmith">
  <return result="yes"/>
</match>
 
kpedersen said:
Currently I have to do this for every user account added to the system.

Is there a way of returning result="yes" for any user which is part of the operator group for example?

I'm not sure if it will work but you can try this:

In your PolicyKit.conf you should find a block of code that looks like this:

Code:
<config version="0.1">
    <match user="root">
	<return result="yes"/>
    </match>
    <define_admin_auth group="wheel"/>
</config>

Between the config tags, add the following:
Code:
<define_admin_auth group="operator"/>

Then do:
# polkit-action --set-defaults-any ACTION auth_admin_keep_always
Replace ACTION with the action you want to grant.

To see a list of PolicyKit actions, do the following:
$ polkit-action


When you create a new user, perform the following steps under the new account to obtain permission to ACTION. You can also tell the user to do this since it does not require sudo or root access.

$ polkit-auth --show-obtainable
Whatever action you set to [font="Courier New"]auth_admin_keep_always[/font] should be listed.

$ polkit-auth --obtain ACTION
A prompt will appear asking for the user password. Enter the password and the user should now be able to perform ACTION.

To verify the action is now permitted:
$ polkit-auth

Note: If this works, I believe it will cause both groups (wheel and operator) to have access to the same actions. I'm not exactly sure how to grant different actions to different groups, or if it's even possible.
 
Code:
    <define_admin_auth group="wheel|operator"/>

works fine for me. A single edit.
 
This is what I get on # polkit-auth
Code:
[WARN  1426] failed to load configuration file: /usr/local/etc/PolicyKit/PolicyKit.conf:22: parse error: mismatched tag
 
Hello.

This morning I updated my ports and somehow "shut down', 'reboot' options became disabled in XFCE4. Before this update everything worked well!
I have PolicyKit.conf configured, have hald and dbus, and linux_support enabled in /etc/rc.conf.

Any help? Maybe I have to perform downgrade of some ports?

ps: I remember nvidia-drivers being updated at this time, maybe there have been any problems?
 
Are you getting an error message of any kind? Have you tried the commands under the "quick fix" section?
 
@noz
Nope, no error messages. buttons are disabled so there's no way to click them. Yes, I have tried that command under the 'quick fix' section but no luck.
 
Are you able to shutdown/reboot from the commandline as a normal user? If not, any errors?
 
@noz

Yes, I can perform shutdown as normal user without any problems.

BTW, I figured out that my HALD doesn't start at startup in spite of the fact it is written in /etc/rc.conf!
When I start it manually as root user, the XFCE4 buttons 'Shutdown'/'Reboot' became available!

Any ideas how to make HALD start automatically at FreeBSD startup?
 
SirDice

This line has been there for ages, yes. Well, looked through the file once again. Here it is:
Code:
hald_enable="YES"
dbus_enable="YES"

As I stated in another thread, I think it is a fresh HALD/DBUS bug.
 
no need to duplicate my posts.
The problem has been solved after upgrading to hal-0.5.14_10 and dbus-1.4.0 now.
 
The issue I get with shutting down xfce is the if I am using the slim display manager, sometimes it doesn't auto-login on the next boot properly. For now I just push my computers actual power button to initiate a shutdown, and as far as I can tell that causes me no problems.
 
Thanks for a helpful how-to

Just wanted to thank the OP for a very helpful how-to. I've wasted way too much time trying to get FreeBSD to let me shut down as a normal user. This solution worked on the first try! By the way, it works fine with LXDE too.
 
Currently I have to do this for every user account added to the system.

Is there a way of returning result="yes" for any user which is part of the operator group for example?
Not sure if this was available until recently but, the solution that I've come up with is to add the following to /usr/local/etc/PolicyKit/PolicyKit.conf between the "config" tags:
Code:
  <match action="org.freedesktop.hal.power-management.shutdown">
  <return result="yes"/>
  </match>

  <match action="org.freedesktop.hal.power-management.reboot">
  <return result="yes"/>
  </match>
I currently only have one user on my system so it hasn't been thoroughly tested. But, I believe this works for ALL users. Not sure how you would do it for only members of group "operator". Perhaps add group="operator" to the "match" tag?

I feel like this should be the default behavior.

I am using LXDE. Hope this is helpful.
 
Back
Top