summaryrefslogtreecommitdiff
path: root/data/etc/sysactions.conf.in
blob: b0dfab51c4ec6394d7da729ad9ed9f13cbdfd628 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
# ENLIGHTENMENT SYSTEM ACTIONS CONFIGURATION
#
# This is a system configuration for allowing or denying certain users or
# groups to be able to do certain actions that involve system restricted
# actions such as halt, reboot, suspend, hibernate etc.
# 
# This file is read in order from top to bottom - the first rule to MATCH
# will be used for a user or a group, and nothing after that is read.
#
# You must put all the ACTION definitons BEFORE user and group rule matches.
# Any action definitons after a rule match has been found will be ignored.
# This allows actions to be re-defined for different user groups, so matches
# so the command for an action can change for matches to the rules later on.
# 
# Any user or group NOT matched by an allow or a deny will be ALLOWED to
# perform the action by default (system administrators should be aware of
# this and implement whatever policies they see fit). Generally speaking
# a user of a workstation, desktop or laptop is intended to have such abilities
# to perform these actions, thus the default of allow. For multi-user systems
# the system administrator is considered capable enough to restrict what they
# see they need to.
# 
# A WARNING to admins: do NOT allow access for users to this system remotely
# UNLESS you fully trust them or you have locked down permissions to halt/reboot
# suspend etc. here first. You have been warned.
#
# FORMAT:
#
# action:   halt      /sbin/shutdown -h now
# action:   reboot    /sbin/shutdown -r now
# action:   suspend   /etc/acpi/sleep.sh force
# action:   hibernate /etc/acpi/hibernate.sh force
#
# user:  username  allow: halt reboot suspend hibernate
# group: groupname deny:  *
# group: *         deny:  *
# user:  *         allow: suspend
# user:  billy     allow: halt reboot
# group: staff     deny:  halt suspend hibernate
#
# etc.
#
# user and group name can use glob matches (* == all for example) like the
# shell. as can action names allowed or denied. 

action:   halt      /sbin/shutdown -h now
action:   reboot    /sbin/shutdown -r now
action:   suspend   @SUSPEND@
action:   hibernate @HIBERNATE@
action:   /bin/mount /bin/mount
action:   /bin/umount /bin/umount
action:   /usr/bin/eject /usr/bin/eject
action:   gdb       gdb
action:   l2ping    l2ping

# on FreeBSD use this instead of the above.
#action suspend  /usr/sbin/zzz 

# root is allowed to do anything - but it needs to be here explicitly anyway
user:     root      allow: *
# members of operator, staff and admin groups should be able to do all
group:    operator  allow: *
group:    staff     allow: *
group:    admin     allow: *
group:    sys       allow: *
group:    wheel     allow: *
group:    adm       allow: *
# common "user" groups for "console users" on desktops/laptops
group:    dialout   allow: *
group:    disk      allow: *
group:    adm       allow: *
group:    cdrom     allow: *
group:    floppy    allow: *
group:    audio     allow: *
group:    dip       allow: *
group:    plugdev   allow: *
group:    netdev    allow: *
group:    bluetooth allow: *
group:    video     allow: *
group:    voice     allow: *
group:    fax       allow: *
group:    tty       allow: *
# put in a list of other users and groups here that are allowed or denied etc.
# e.g.
# user:     myuser     allow:  *
# user:     another    allow:  suspend hibernate
#
#
# uncomment this line to enable eeze mounting for users
# user:   someuser allow: /bin/mount /bin/umount /usr/bin/eject
#
#
# deny everyone else by default
user:     *         deny:  *