Multi-User System Challenges
I work at a very small business with less than 10 employees. Nobody has an isolated office or cubicle and computer.
Common at work is coworkers heading out to the field to service customers or other systems and needing to leave the computer they were using. This has not been an issue previously because all systems were configured as single-user systems. That might make some sysadmins or security experts shudder, but this is a very small company. I am guessing this approach is common with small businesses as well as almost all home users.
For our our migration effort I am configuring at least one multi-user workstation and laptop. We are using Ubuntu MATE 16.04 and the LightDM login manager.
One reason for this change in approach is security. Although trust level is very high among all employees, as the person responsible for this migration project I have to think like a security admin and consider the possibility of compromise. We do not want all employees having access to the user accounts of other employees.
For example, I use SSH key pairs to access various systems in our infrastructure. My private keys are pass phrase protected. From my home office I use my encrypted virtual machine (VM) for remote access. In the field I have been using my personal laptop with an encrypted partition. With this migration effort I wanted to configure one office workstation and laptop for my use case. At the office I would have the same access my VM provides. I could stop using my personal laptop.
Another reason is a nominal amount of privacy. Employees do not own any of the computers but some nominal privacy with respect to other employees is hardly abnormal.
Should the first user step away from a computer for a long period, another user should be able to use the system without losing any work started by the previous user. The MATE desktop supports a
Switch User option, both in the Lock Screen dialog and from the menu button Log Out option.
With our laptops, which thus far have been single-user, we implemented a policy that the desktop screen locks after five minutes of idle time. Coworkers have acclimated to this policy and have not found the policy horrible or inconvenient. They understand the reason is a security precaution.
Under this new work flow, with any system the screen will be locked after five minutes. All affected employees know the password for the single-user systems. This will not be the case with multi-user systems. Invoking the lock screen dialog will require additional users to use the
Switch User option to log in.
So far so good but at that point, from the MATE desktop itself or the LightDM dialog there is no obvious way to know that another user is logged in. I resolved the desktop problem with a change in our Conky display. When additional users are logged in Conky displays the user names in yellow text. The LightDM dialog reveals who is logged in by displaying those names in bold — but only if configured to display user names. Not exactly obvious but doable.
Despite that additional information, this nonetheless creates an unwanted situation because there is no way to prevent a reboot or shutdown when more than one user is logged in. Users could lose their work.
We needed to prevent such events. When more than one user is logged into a system we needed a graphical way of informing users why a reboot or power down aborts.
All users are GUI-centric. They are not going to open a terminal window to learn whether other users are logged in or to elevate privileges to reboot or power down. Not going to happen.
Users are significantly single-user biased too. This is true of all humans. Most people are not going to pay attention to whether others are logged in to the same system. The computer must be configured to interrupt those requests.
Some solutions to this problem looked encouraging but they all relied on the command line. Those solutions did not satisfy our GUI requirements.
After several days of hard searching I found my answer with polkit. In the early days of our migration I had to configure a laptop that was not fully Linux compliant. A similar approach solved our multi-user problem although there are some peculiar related behaviors.
Ubuntu MATE 16.04 (and Ubuntu 18.04) use polkit 0.105. My understanding is polkit 0.105 and older does not support
*.rules files and only supports
The default polkit
org.freedesktop.login1.policy action provides support for
multiple-sessions events. Unfortunately the defaults are too permissive.
allow_any: auth_admin_keep allow_inactive: auth_admin_keep allow_active: yes
allow_active configuration allows the active user to reboot or power down when other users are logged in. That option makes no sense for a multi-user system and needs to be changed.
[Disable Reboot With Multiple Users Logged On] Identity=unix-user:* Action=org.freedesktop.login1.reboot-multiple-sessions ResultAny=auth_admin ResultInactive=auth_admin ResultActive=auth_admin [Disable Power Off With Multiple Users Logged On] Identity=unix-user:* Action=org.freedesktop.login1.power-off-multiple-sessions ResultAny=auth_admin ResultInactive=auth_admin ResultActive=auth_admin [Disable Suspend With Multiple Users Logged On] Identity=unix-user:* Action=org.freedesktop.login1.suspend-multiple-sessions ResultAny=auth_admin ResultInactive=auth_admin ResultActive=auth_admin [Disable Hibernate With Multiple Users Logged On] Identity=unix-user:* Action=org.freedesktop.login1.hibernate-multiple-sessions ResultAny=auth_admin ResultInactive=auth_admin ResultActive=auth_admin
Polkit works in real-time. When making changes no reboots, daemon reloads, or relogins are needed.
The changes worked. With multiple users logged in nobody but root can force a reboot or power down. The respective dialogs allow users to request those actions but the actions abort with multiple users logged in.
There are some oddball caveats.
- Attempting to suspend results in the desktop lock screen dialog being invoked. The user has to unlock the screen before seeing the dialog requesting authentication. I understand why the screen locks for security reasons, but the order of presentation is backwards. Users should first see the authentication request before locking the screen. Not intuitive at all but can be overcome with training.
- Attempting to power down or reboot results in the desktop closing to the LightDM display manager. Again not intuitive and another training issue. A challenge with this event is the LightDM screen provides no immediately obvious information about who is logged in.
- With the LightDM login manager, determining who is logged in is actually possible but only if configured to display user names. Users logged in will be listed in bold.
- The LightDM screen always disables the menu options to reboot and power down. This makes sense but is not intuitive without training.
- With only one user logged in, upon logging out the LightDM menu options remain disabled for about 15 seconds. The menu options become available after the delay. If a person decides to power down or reboot in this manner rather than directly from the MATE desktop then the delay is irritating.
Despite the quirks I am pleased. Using a multi-user system is something new for coworkers. I will have to provide training so they understand the nuances and oddball caveats.