2006-09-03 01:51:32 -07:00
|
|
|
# ENLIGHTENMENT SYSTEM ACTIONS CONFIGURATION
|
|
|
|
#
|
|
|
|
# This is a system configuration for allowing or denying certain users or
|
|
|
|
# groups to be able to do certain actions that involve system restricted
|
|
|
|
# actions such as halt, reboot, suspend, hibernate etc.
|
|
|
|
#
|
|
|
|
# This file is read in order from top to bottom - the first rule to MATCH
|
|
|
|
# will be used for a user or a group, and nothing after that is read.
|
|
|
|
#
|
|
|
|
# You must put all the ACTION definitons BEFORE user and group rule matches.
|
|
|
|
# Any action definitons after a rule match has been found will be ignored.
|
|
|
|
# This allows actions to be re-defined for different user groups, so matches
|
|
|
|
# so the command for an action can change for matches to the rules later on.
|
|
|
|
#
|
|
|
|
# Any user or group NOT matched by an allow or a deny will be ALLOWED to
|
|
|
|
# perform the action by default (system administrators should be aware of
|
|
|
|
# this and implement whatever policies they see fit). Generally speaking
|
|
|
|
# a user of a workstation, desktop or laptop is intended to have such abilities
|
|
|
|
# to perform these actions, thus the default of allow. For multi-user systems
|
2010-09-08 16:59:07 -07:00
|
|
|
# the system administrator is considered capable enough to restrict what they
|
2006-09-03 01:51:32 -07:00
|
|
|
# see they need to.
|
|
|
|
#
|
|
|
|
# A WARNING to admins: do NOT allow access for users to this system remotely
|
|
|
|
# UNLESS you fully trust them or you have locked down permissions to halt/reboot
|
|
|
|
# suspend etc. here first. You have been warned.
|
|
|
|
#
|
|
|
|
# FORMAT:
|
|
|
|
#
|
|
|
|
# action: halt /sbin/shutdown -h now
|
|
|
|
# action: reboot /sbin/shutdown -r now
|
|
|
|
# action: suspend /etc/acpi/sleep.sh force
|
|
|
|
# action: hibernate /etc/acpi/hibernate.sh force
|
|
|
|
#
|
|
|
|
# user: username allow: halt reboot suspend hibernate
|
|
|
|
# group: groupname deny: *
|
|
|
|
# group: * deny: *
|
|
|
|
# user: * allow: suspend
|
|
|
|
# user: billy allow: halt reboot
|
|
|
|
# group: staff deny: halt suspend hibernate
|
|
|
|
#
|
|
|
|
# etc.
|
|
|
|
#
|
|
|
|
# user and group name can use glob matches (* == all for example) like the
|
|
|
|
# shell. as can action names allowed or denied.
|
|
|
|
|
2013-04-05 06:20:23 -07:00
|
|
|
action: halt @HALT@
|
|
|
|
action: reboot @REBOOT@
|
2011-03-29 11:20:11 -07:00
|
|
|
action: suspend @SUSPEND@
|
|
|
|
action: hibernate @HIBERNATE@
|
2011-06-30 01:18:26 -07:00
|
|
|
action: /bin/mount /bin/mount
|
|
|
|
action: /bin/umount /bin/umount
|
|
|
|
action: /usr/bin/eject /usr/bin/eject
|
2012-10-30 01:36:26 -07:00
|
|
|
action: gdb gdb
|
2013-03-17 08:07:34 -07:00
|
|
|
action: l2ping l2ping
|
2006-09-03 01:51:32 -07:00
|
|
|
|
2009-01-15 03:58:26 -08:00
|
|
|
# on FreeBSD use this instead of the above.
|
|
|
|
#action suspend /usr/sbin/zzz
|
|
|
|
|
2006-09-27 23:07:15 -07:00
|
|
|
# root is allowed to do anything - but it needs to be here explicitly anyway
|
2006-09-03 01:51:32 -07:00
|
|
|
user: root allow: *
|
2006-09-27 23:07:15 -07:00
|
|
|
# members of operator, staff and admin groups should be able to do all
|
2006-09-03 01:51:32 -07:00
|
|
|
group: operator allow: *
|
|
|
|
group: staff allow: *
|
2006-09-27 23:07:15 -07:00
|
|
|
group: admin allow: *
|
|
|
|
group: sys allow: *
|
2012-09-11 20:58:02 -07:00
|
|
|
group: wheel allow: *
|
|
|
|
group: adm allow: *
|
2006-09-27 23:07:15 -07:00
|
|
|
# common "user" groups for "console users" on desktops/laptops
|
|
|
|
group: dialout allow: *
|
|
|
|
group: disk allow: *
|
|
|
|
group: adm allow: *
|
|
|
|
group: cdrom allow: *
|
|
|
|
group: floppy allow: *
|
|
|
|
group: audio allow: *
|
|
|
|
group: dip allow: *
|
|
|
|
group: plugdev allow: *
|
2012-09-11 20:58:02 -07:00
|
|
|
group: netdev allow: *
|
|
|
|
group: bluetooth allow: *
|
|
|
|
group: video allow: *
|
|
|
|
group: voice allow: *
|
|
|
|
group: fax allow: *
|
|
|
|
group: tty allow: *
|
2006-09-27 23:07:15 -07:00
|
|
|
# put in a list of other users and groups here that are allowed or denied etc.
|
|
|
|
# e.g.
|
|
|
|
# user: myuser allow: *
|
|
|
|
# user: another allow: suspend hibernate
|
2011-06-30 01:18:26 -07:00
|
|
|
#
|
|
|
|
#
|
|
|
|
# uncomment this line to enable eeze mounting for users
|
|
|
|
# user: someuser allow: /bin/mount /bin/umount /usr/bin/eject
|
|
|
|
#
|
|
|
|
#
|
2006-09-27 23:07:15 -07:00
|
|
|
# deny everyone else by default
|
2006-09-03 01:51:32 -07:00
|
|
|
user: * deny: *
|