Polkit rules not triggering GUI authentication for shutdown in MATE Desktop

I'm trying to configure Polkit rules on Ubuntu MATE 24.04 to require admin authentication for shutdown/reboot actions in the graphical interface. My current rules:
polkit.addAdminRule(function(action, subject) {
if (
action.id == "org.freedesktop.login1.reboot" ||
action.id == "org.freedesktop.login1.reboot-multiple-sessions" ||
action.id == "org.freedesktop.login1.power-off" ||
action.id == "org.freedesktop.login1.power-off-multiple-sessions"
) {
return ["unix-user:root"];
}
});

polkit.addRule(function(action, subject) {
if (
action.id == "org.freedesktop.login1.reboot-multiple-sessions" ||
action.id == "org.freedesktop.login1.reboot" ||
action.id == "org.freedesktop.login1.power-off" ||
action.id == "org.freedesktop.login1.power-off-multiple-sessions"
) {
if (subject.user == "root") {
return polkit.Result.YES;
}
return polkit.Result.AUTH_ADMIN_KEEP;
}
});

Observed Behavior:

GUI shutdown button skips authentication and logs out immediately.

CLI commands like pkexec shutdown or pkexec poweroff correctly prompt for authentication.

Questions:

Is there a MATE-specific policy or action ID I might be missing?

Why does the GUI bypass authentication while CLI respects the rules?

I want the GUI shutdown/reboot button in MATE to require secondary authentication (e.g., password prompt) for non-admin users.
Thank you for any insights!

For clarity, here are the details of my environment:

Ubuntu Version:

No LSB modules are available.

Distributor ID: Ubuntu

Description: Ubuntu 24.04.2 LTS

Release: 24.04

Codename: noble

MATE Desktop Packages:

mate-desktop-common/noble,now 1.26.2-1.1build3 all

mate-desktop-environment-core/noble,now 1.26.0+1ubuntu6 all

mate-desktop/noble,now 1.26.2-1.1build3 amd64

mate-polkit-common/noble,now 1.26.1-4build3 all

mate-polkit/noble,now 1.26.1-4build3 amd64

mate-power-manager-common/noble,now 1.26.1-1build4 all

mate-power-manager/noble,now 1.26.1-1build4 amd64

mate-session-manager/noble,now 1.26.1-2build2 amd64

polkitd/noble-updates,now 124-2ubuntu1.24.04.2 amd64

ubuntu-mate-desktop/noble,now 1.296 amd64

systemd Version:

systemd 255 (255.4-1ubuntu8.5)

1 Like

I'm fairly sure the MATE shutdown GUI prompt (with logout, reboot, shutdown options) doesn't utilise the login1 DBus interface to perform the shutdown operation.

At least - that's what I gleaned from when I was looking at why the Suspend menu item in the Ayatana appmenu (which does use the login1 DBus interface) doesn't trigger a screensaver lock.

1 Like

But when I click the shutdown button in the graphical interface, I did observe that the DBus service sent messages related to the shutdown operation.

1 Like

Hi, @sswh and welcome to the Ubuntu MATE Community!

IMHO, it takes editing /usr/share/polkit-1/actions/org.freedesktop.login1.policy file. There are snippets which may relate to your request. For example:

.....
        <action id="org.freedesktop.login1.reboot">
                <description gettext-domain="systemd">Reboot the system</description>
                <message gettext-domain="systemd">Authentication is required to reboot the system.</message>
                <defaults>
                        <allow_any>auth_admin_keep</allow_any>
                        <allow_inactive>auth_admin_keep</allow_inactive>
                        <allow_active>yes</allow_active>
                </defaults>
                <annotate key="org.freedesktop.policykit.imply">org.freedesktop.login1.set-wall-message</annotate>
        </action>
.....
<action id="org.freedesktop.login1.power-off">
                <description gettext-domain="systemd">Power off the system</description>
                <message gettext-domain="systemd">Authentication is required to power off the system.</message>
                <defaults>
                        <allow_any>auth_admin_keep</allow_any>
                        <allow_inactive>auth_admin_keep</allow_inactive>
                        <allow_active>yes</allow_active>
                </defaults>
                <annotate key="org.freedesktop.policykit.imply">org.freedesktop.login1.set-wall-message</annotate>
        </action>

        <action id="org.freedesktop.login1.power-off-multiple-sessions">
                <description gettext-domain="systemd">Power off the system while other users are logged in</description>
                <message gettext-domain="systemd">Authentication is required to power off the system while other users are logged in.</message>
                <defaults>
                        <allow_any>auth_admin_keep</allow_any>
                        <allow_inactive>auth_admin_keep</allow_inactive>
                        <allow_active>yes</allow_active>
                </defaults>
                <annotate key="org.freedesktop.policykit.imply">org.freedesktop.login1.power-off</annotate>
        </action>
.....

I think that the most promising is allow_active parameter set to no.

2 Likes

I tried modifying the relevant shutdown action IDs, changing their parameters to auth_admin_keep or no , but the result remained the same: clicking the shutdown button in the graphical interface directly triggered a logout instead.

1 Like

I suspect this issue might be related to the MATE graphical interface, because with the same polkit rules configured, clicking the shutdown button in the GNOME interface triggers the secondary authentication prompt.

1 Like

PolicyKit - Debian Wiki reads

PolicyKit in Debian does not currently (as of Debian 11) allow the implementation of fine grained permissions using the lookup functionality which is available in polkit.

Well, this may explain something...

2 Likes

The Polkit rules I configured do not utilize lookup functionality.