# Enlightenment System access control file
#
# This should be installed as /etc/enlightenment/system.conf if you wish to
# limit access to enlightenment_system setuid tool. The tool will load this
# file, if it exists, and abort any kind of execution if the file would not
# permit the calling user to use it. If this file does not exist, then any
# user or group will be permitted to run this tool and access its features.
# This file will be installed

# This file is read in order from top to bottom - the first rule to MATCH
# will be used for a user or a group, and nothing after that is read.

# Any user or group NOT matched by an allow or a deny will be ALLOWED to
# perform the action by default (system administrators should be aware of
# this and implement whatever policies they see fit). Generally speaking
# a user of a workstation, desktop or laptop is intended to have such abilities
# to perform these actions, thus the default of allow. For multi-user systems
# the system administrator is considered capable enough to restrict what they
# see they need to.

# A WARNING to admins: do NOT allow access for users to this system remotely
# UNLESS you fully trust them or you have locked down permissions to halt/reboot
# suspend etc. here first. You have been warned.

# FORMAT:
# 
# user:  username  allow: halt reboot suspend hibernate
# group: groupname deny:  *
# group: *         deny:  *
# user:  *         allow: suspend
# user:  billy     allow: halt reboot
# group: staff     deny:  halt suspend hibernate
# ... etc. ...
#
# user and group name can use glob matches (* == all for example) like the
# shell. as can action names allowed or denied.

# root is allowed to do anything - but it needs to be here explicitly anyway
user:     root      allow: *
# members of operator, staff and admin groups should be able to do all
group:    operator  allow: *
group:    staff     allow: *
group:    admin     allow: *
group:    sys       allow: *
group:    wheel     allow: *
group:    adm       allow: *
# common "user" groups for "console users" on desktops/laptops
group:    dialout   allow: *
group:    disk      allow: *
group:    adm       allow: *
group:    cdrom     allow: *
group:    floppy    allow: *
group:    audio     allow: *
group:    dip       allow: *
group:    plugdev   allow: *
group:    netdev    allow: *
group:    bluetooth allow: *
group:    video     allow: *
group:    voice     allow: *
group:    fax       allow: *
group:    tty       allow: *
group:    colord    allow: *
group:    input     allow: *
group:    sudo      allow: *

# deny everyone else by default
user:     *         deny:  *