summaryrefslogtreecommitdiff
blob: fe676238b907e9d769055dc5851d78f18a697f85 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
# ENLIGHTENMENT SYSTEM ACTIONS CONFIGURATION
#
# This is a system configuration for allowing or denying certain users or
# groups to be able to do certain actions that involve system restricted
# actions such as halt, reboot, suspend, hibernate etc.
# 
# This file is read in order from top to bottom - the first rule to MATCH
# will be used for a user or a group, and nothing after that is read.
#
# You must put all the ACTION definitons BEFORE user and group rule matches.
# Any action definitons after a rule match has been found will be ignored.
# This allows actions to be re-defined for different user groups, so matches
# so the command for an action can change for matches to the rules later on.
# 
# Any user or group NOT matched by an allow or a deny will be ALLOWED to
# perform the action by default (system administrators should be aware of
# this and implement whatever policies they see fit). Generally speaking
# a user of a workstation, desktop or laptop is intended to have such abilities
# to perform these actions, thus the default of allow. For multi-user systems
# the system administrator is considerd capable enough to restrict what they
# see they need to.
# 
# A WARNING to admins: do NOT allow access for users to this system remotely
# UNLESS you fully trust them or you have locked down permissions to halt/reboot
# suspend etc. here first. You have been warned.
#
# FORMAT:
#
# action:   halt      /sbin/shutdown -h now
# action:   reboot    /sbin/shutdown -r now
# action:   suspend   /etc/acpi/sleep.sh force
# action:   hibernate /etc/acpi/hibernate.sh force
#
# user:  username  allow: halt reboot suspend hibernate
# group: groupname deny:  *
# group: *         deny:  *
# user:  *         allow: suspend
# user:  billy     allow: halt reboot
# group: staff     deny:  halt suspend hibernate
#
# etc.
#
# user and group name can use glob matches (* == all for example) like the
# shell. as can action names allowed or denied. 

action:   halt      /sbin/shutdown -h now
action:   reboot    /sbin/shutdown -r now
action:   suspend   /usr/sbin/pm-suspend
action:   hibernate /usr/sbin/pm-hibernate

# on FreeBSD use this instead of the above.
#action suspend  /usr/sbin/zzz 

# root is allowed to do anything - but it needs to be here explicitly anyway
user:     root      allow: *
# members of operator, staff and admin groups should be able to do all
group:    operator  allow: *
group:    staff     allow: *
group:    admin     allow: *
group:    sys       allow: *
group:    wheel     allow: *
# common "user" groups for "console users" on desktops/laptops
group:    dialout   allow: *
group:    disk      allow: *
group:    adm       allow: *
group:    cdrom     allow: *
group:    floppy    allow: *
group:    audio     allow: *
group:    dip       allow: *
group:    plugdev   allow: *
# put in a list of other users and groups here that are allowed or denied etc.
# e.g.
# user:     myuser     allow:  *
# user:     another    allow:  suspend hibernate
# deny everyone else by default
user:     *         deny:  *