Rechercher une page de manuel
PolicyKit.conf
Langue: en
Version: 50558 (openSuse - 09/10/07)
Section: 5 (Format de fichier)
NAME
/etc/PolicyKit/PolicyKit.conf - PolicyKit configuration fileDESCRIPTION
The /etc/PolicyKit/PolicyKit.conf configuration file provides a way for system administrators to override policy that mechanisms use libpolkit to determine whether a caller is privileged to use the mechanism in the way specified by the given action identifier.
Changes to this configuration file are not immediately propagated; the utility polkit-reload-config(1) can be used to notify running processes of the changes to the configuration file.
TODO: we need to have a tool to verify the PolicyKit.conf file.
For more information about the big picture refer to the PolicyKit spec which can be found in /usr/share/doc/policykit/spec/polkit-spec.html depending on the distribution.
CONFIGURATION FILE
The configuration file is an XML document. It must have the following doctype declaration:
<!DOCTYPE pkconfig PUBLIC "-//freedesktop//DTD PolicyKit Configuration 1.0//EN"
"http://hal.freedesktop.org/releases/PolicyKit/1.0/config.dtd">
The following elements may be present in the configuration file
config
Root element. A single attribute version must be present and must be set to 0.1 at this point. There can only be one config element in the configuration file.
match
This element is for matching information related to the decision making process and includes values describing both the caller and the action. This element can be embedded in both config and other match elements (hence allowing for nested matching).
There can only be a single attribute in each match element and POSIX Extended Regular Expression syntax are supported in the value part. The following attributes are supported:
- user
- This matches on the user. Both the UNIX uid (e.g. 500) and the user name (e.g. davidz) are tried in the matching process. For example .B user="davidz|504" matches the UNIX user with uid 504 and the UNIX user with the name "davidz".
- action
- For matching on the action, for example action=hal-storage-* will match on all actions whose name begins with the string with "hal-storage-".
return
This element is for used to specify what result libpolkit should return. It can only be embedded in config and match elements and can embed no elements itself. The return element is typically used deeply inside a number of match elements. A single attribute result is supported and it can assume the following values
- no
- Access denied.
- auth_root
- Access denied, but authentication of the caller as root will grant access to only that caller.
- auth_root_keep_session
- Access denied, but authentication of the caller as root will grant access for the remainder of the session the caller stems from.
- auth_root_keep_always
- Access denied, but authentication of the caller as root will grant access to the user of the caller in the future.
- auth_self
- Access denied, but authentication of the caller as himself will grant access to only that caller.
- auth_self_keep_session
- Access denied, but authentication of the caller as himself will grant access for the remainder of the session the caller stems from.
- auth_self_keep_always
- Access denied, but authentication of the caller as himself will grant access to the user of the caller in the future.
- yes
- Access granted.
EXAMPLES
For brevity the standard XML and doctype headers are omitted in the following configuration file examples. The actions used may also be fictional, use polkit-list-actions(1) to learn about the actions installed on the system.
ALLOW EVERYTHING
<config version="0.1">
<match user="davidz|504">
<return result="yes"/>
</match>
</config>
The two UNIX users "davidz" and user with UNIX uid 504 will be allowed to do any action.
MOUNTING FIXED DRIVES
Suppose the action hal-storage-mount-fixed is used by hald(8) to determine whether mounting internal hard drives are allowed. Then this configuration file
<config version="0.1">
<match action="hal-storage-mount-fixed">
<match user="davidz">
<return result="yes"/>
</match>
<match user="freddy">
<return result="no"/>
</match>
</match>
</config>
specifies that UNIX user "davidz" is always allowed to do the action, while UNIX user "freddy" is never allowed to do the action.
BUGS
Please send bug reports to either the distribution or the HAL mailing list, see http://lists.freedesktop.org/mailman/listinfo/hal on how to subscribe.
SEE ALSO
PolicyKit(8), polkit-list-actions(1)
AUTHOR
Written by David Zeuthen <david@fubar.dk> with a lot of help from many others.Contenus ©2006-2024 Benjamin Poulain
Design ©2006-2024 Maxime Vantorre