enlightenment/data/etc/system.conf

# Enlightenment System access control file
#
# This should be installed as /etc/enlightenment/system.conf if you wish to
# limit access to enlightenment_system setuid tool. The tool will load this
# file, if it exists, and abort any kind of execution if the file would not
# permit the calling user to use it. If this file does not exist, then any
# user or group will be permitted to run this tool and access its features.
# This file will be installed

# This file is read in order from top to bottom - the first rule to MATCH
# will be used for a user or a group, and nothing after that is read.

# Any user or group NOT matched by an allow or a deny will be ALLOWED to
# perform the action by default (system administrators should be aware of
# this and implement whatever policies they see fit). Generally speaking
# a user of a workstation, desktop or laptop is intended to have such abilities
# to perform these actions, thus the default of allow. For multi-user systems
# the system administrator is considered capable enough to restrict what they
# see they need to.

# A WARNING to admins: do NOT allow access for users to this system remotely
# UNLESS you fully trust them or you have locked down permissions to halt/reboot
# suspend etc. here first. You have been warned.

# FORMAT:
#
# user:  username  allow: rfkill
# group: groupname deny:  *
# group: *         deny:  *
# user:  *         allow: power
# user:  billy     allow: l2ping
# group: staff     deny:  backlight
# ... etc. ...
#
# user and group name can use glob matches (* == all for example) like the
# shell. as can action names allowed or denied.
#
# the system to allow at the end is a system name or * for "everything". this
# is a glob like filenames. systems supported:
#
# backlight - core backlight device that maps to a laptop screen or keyboard
# ddc       - external monitor controls like backlight, color correction etc
# storage   - handling of removable media devices
# power     - direct shutdown/reboot/suspend/resume/halt commands
# rfkill    - rf controls for wireless adaptors
# l2ping    - bluetooth pings for paired devices (no payload control)
# cpufreq   - change cpu frequency, governor and similar power controls

# root is allowed to do anything - but it needs to be here explicitly anyway
user:     root      allow: *
# members of operator, staff and admin groups should be able to do all
group:    operator  allow: *
group:    staff     allow: *
group:    admin     allow: *
group:    sys       allow: *
group:    wheel     allow: *
group:    adm       allow: *
# common "user" groups for "console users" on desktops/laptops
group:    dialout   allow: *
group:    disk      allow: *
group:    adm       allow: *
group:    cdrom     allow: *
group:    floppy    allow: *
group:    audio     allow: *
group:    dip       allow: *
group:    plugdev   allow: *
group:    netdev    allow: *
group:    bluetooth allow: *
group:    video     allow: *
group:    voice     allow: *
group:    fax       allow: *
group:    tty       allow: *
group:    colord    allow: *
group:    input     allow: *
group:    sudo      allow: *

# deny everyone else by default
user:     *         deny:  *
e system - add new uber setuid tool to replace all the previous ones so e has had a bit of a mess of setuid root tools to do things that are essential to maintaing a functioning desktop/laptop/tablet/phone like device like shutting it down or suspending or sqizzling the cpu governor or messing with the backlight or... you get the idea. this has been spread around enlightenment_sys and other special purpose tools. this now unifies it into a single "always there" enlightenment_system backend setuid root slave process whose job it is to do all these things via a stdio protocol in an organized way. this means latency to do something is lower, but at the expense of consuming ram and a lurking process. unfortunately the lurking will be needed soon when i add ddc support to make it even vaguely efficient, so it's a cost i guess we have to pay now. we'll need this in future as well for some stats collection and more. still need to port existing code to use this instead of the existing stuff, and then remove of the old stuff. 2020-01-12 13:38:54 -08:00			`# Enlightenment System access control file`
			`#`
			`# This should be installed as /etc/enlightenment/system.conf if you wish to`
			`# limit access to enlightenment_system setuid tool. The tool will load this`
			`# file, if it exists, and abort any kind of execution if the file would not`
			`# permit the calling user to use it. If this file does not exist, then any`
			`# user or group will be permitted to run this tool and access its features.`
			`# This file will be installed`

			`# This file is read in order from top to bottom - the first rule to MATCH`
			`# will be used for a user or a group, and nothing after that is read.`

			`# Any user or group NOT matched by an allow or a deny will be ALLOWED to`
			`# perform the action by default (system administrators should be aware of`
			`# this and implement whatever policies they see fit). Generally speaking`
			`# a user of a workstation, desktop or laptop is intended to have such abilities`
			`# to perform these actions, thus the default of allow. For multi-user systems`
			`# the system administrator is considered capable enough to restrict what they`
			`# see they need to.`

			`# A WARNING to admins: do NOT allow access for users to this system remotely`
			`# UNLESS you fully trust them or you have locked down permissions to halt/reboot`
			`# suspend etc. here first. You have been warned.`

			`# FORMAT:`
tree-wide: get rid of trailing whitespace Remove trailing whitespaces Reviewed-by: Stefan Schmidt <stefan@datenfreihafen.org> Differential Revision: https://phab.enlightenment.org/D11841 2020-05-16 20:28:27 -07:00			`#`
e system - allow the per system permit/deny rules to work 2020-04-23 05:43:45 -07:00			`# user: username allow: rfkill`
e system - add new uber setuid tool to replace all the previous ones so e has had a bit of a mess of setuid root tools to do things that are essential to maintaing a functioning desktop/laptop/tablet/phone like device like shutting it down or suspending or sqizzling the cpu governor or messing with the backlight or... you get the idea. this has been spread around enlightenment_sys and other special purpose tools. this now unifies it into a single "always there" enlightenment_system backend setuid root slave process whose job it is to do all these things via a stdio protocol in an organized way. this means latency to do something is lower, but at the expense of consuming ram and a lurking process. unfortunately the lurking will be needed soon when i add ddc support to make it even vaguely efficient, so it's a cost i guess we have to pay now. we'll need this in future as well for some stats collection and more. still need to port existing code to use this instead of the existing stuff, and then remove of the old stuff. 2020-01-12 13:38:54 -08:00			`# group: groupname deny: *`
			`# group: * deny: *`
e system - allow the per system permit/deny rules to work 2020-04-23 05:43:45 -07:00			`# user: * allow: power`
			`# user: billy allow: l2ping`
			`# group: staff deny: backlight`
e system - add new uber setuid tool to replace all the previous ones so e has had a bit of a mess of setuid root tools to do things that are essential to maintaing a functioning desktop/laptop/tablet/phone like device like shutting it down or suspending or sqizzling the cpu governor or messing with the backlight or... you get the idea. this has been spread around enlightenment_sys and other special purpose tools. this now unifies it into a single "always there" enlightenment_system backend setuid root slave process whose job it is to do all these things via a stdio protocol in an organized way. this means latency to do something is lower, but at the expense of consuming ram and a lurking process. unfortunately the lurking will be needed soon when i add ddc support to make it even vaguely efficient, so it's a cost i guess we have to pay now. we'll need this in future as well for some stats collection and more. still need to port existing code to use this instead of the existing stuff, and then remove of the old stuff. 2020-01-12 13:38:54 -08:00			`# ... etc. ...`
			`#`
			`# user and group name can use glob matches (* == all for example) like the`
			`# shell. as can action names allowed or denied.`
e system - allow the per system permit/deny rules to work 2020-04-23 05:43:45 -07:00			`#`
			`# the system to allow at the end is a system name or * for "everything". this`
			`# is a glob like filenames. systems supported:`
			`#`
			`# backlight - core backlight device that maps to a laptop screen or keyboard`
			`# ddc - external monitor controls like backlight, color correction etc`
			`# storage - handling of removable media devices`
			`# power - direct shutdown/reboot/suspend/resume/halt commands`
			`# rfkill - rf controls for wireless adaptors`
			`# l2ping - bluetooth pings for paired devices (no payload control)`
			`# cpufreq - change cpu frequency, governor and similar power controls`
e system - add new uber setuid tool to replace all the previous ones so e has had a bit of a mess of setuid root tools to do things that are essential to maintaing a functioning desktop/laptop/tablet/phone like device like shutting it down or suspending or sqizzling the cpu governor or messing with the backlight or... you get the idea. this has been spread around enlightenment_sys and other special purpose tools. this now unifies it into a single "always there" enlightenment_system backend setuid root slave process whose job it is to do all these things via a stdio protocol in an organized way. this means latency to do something is lower, but at the expense of consuming ram and a lurking process. unfortunately the lurking will be needed soon when i add ddc support to make it even vaguely efficient, so it's a cost i guess we have to pay now. we'll need this in future as well for some stats collection and more. still need to port existing code to use this instead of the existing stuff, and then remove of the old stuff. 2020-01-12 13:38:54 -08:00
			`# root is allowed to do anything - but it needs to be here explicitly anyway`
			`user: root allow: *`
			`# members of operator, staff and admin groups should be able to do all`
			`group: operator allow: *`
			`group: staff allow: *`
			`group: admin allow: *`
			`group: sys allow: *`
			`group: wheel allow: *`
			`group: adm allow: *`
			`# common "user" groups for "console users" on desktops/laptops`
			`group: dialout allow: *`
			`group: disk allow: *`
			`group: adm allow: *`
			`group: cdrom allow: *`
			`group: floppy allow: *`
			`group: audio allow: *`
			`group: dip allow: *`
			`group: plugdev allow: *`
			`group: netdev allow: *`
			`group: bluetooth allow: *`
			`group: video allow: *`
			`group: voice allow: *`
			`group: fax allow: *`
			`group: tty allow: *`
			`group: colord allow: *`
			`group: input allow: *`
			`group: sudo allow: *`

			`# deny everyone else by default`
			`user: * deny: *`