You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

78 lines
2.9 KiB

# ENLIGHTENMENT SYSTEM ACTIONS CONFIGURATION
#
# This is a system configuration for allowing or denying certain users or
# groups to be able to do certain actions that involve system restricted
# actions such as halt, reboot, suspend, hibernate etc.
#
# This file is read in order from top to bottom - the first rule to MATCH
# will be used for a user or a group, and nothing after that is read.
#
# You must put all the ACTION definitons BEFORE user and group rule matches.
# Any action definitons after a rule match has been found will be ignored.
# This allows actions to be re-defined for different user groups, so matches
# so the command for an action can change for matches to the rules later on.
#
# Any user or group NOT matched by an allow or a deny will be ALLOWED to
# perform the action by default (system administrators should be aware of
# this and implement whatever policies they see fit). Generally speaking
# a user of a workstation, desktop or laptop is intended to have such abilities
# to perform these actions, thus the default of allow. For multi-user systems
# the system administrator is considered capable enough to restrict what they
# see they need to.
#
# A WARNING to admins: do NOT allow access for users to this system remotely
# UNLESS you fully trust them or you have locked down permissions to halt/reboot
# suspend etc. here first. You have been warned.
#
# FORMAT:
#
# action: nam command to run
#
# user: username allow: halt reboot suspend hibernate
# group: groupname deny: *
# group: * deny: *
# user: * allow: suspend
# user: billy allow: halt reboot
# group: staff deny: halt suspend hibernate
#
# etc.
#
# user and group name can use glob matches (* == all for example) like the
# shell. as can action names allowed or denied.
action: /bin/mount @MOUNT@
action: /bin/umount @UMOUNT@
action: /usr/bin/eject @EJECT@
# root is allowed to do anything - but it needs to be here explicitly anyway
user: root allow: *
# members of operator, staff and admin groups should be able to do all
group: operator allow: *
group: staff allow: *
group: admin allow: *
group: sys allow: *
group: wheel allow: *
group: adm allow: *
# common "user" groups for "console users" on desktops/laptops
group: dialout allow: *
group: disk allow: *
group: adm allow: *
group: cdrom allow: *
group: floppy allow: *
group: audio allow: *
group: dip allow: *
group: plugdev allow: *
group: netdev allow: *
group: bluetooth allow: *
group: video allow: *
group: voice allow: *
group: fax allow: *
group: tty allow: *
# put in a list of other users and groups here that are allowed or denied etc.
# e.g.
# user: myuser allow: *
# user: another allow: suspend hibernate
#
# deny everyone else by default
user: * deny: *