diff options
| author | Carsten Haitzler (Rasterman) <raster@rasterman.com> | 2020-01-12 21:38:54 +0000 |
|---|---|---|
| committer | Carsten Haitzler (Rasterman) <raster@rasterman.com> | 2020-01-15 11:33:49 +0000 |
| commit | f57572b678f20d269cd1ea474a42c2eb4c727221 (patch) | |
| tree | 68a18716bd59d9cbd76cf4ecb6a91a600b28d93f /data | |
| parent | dda50e8d8778762a315a556b74040c60190fda67 (diff) | |
| download | enlightenment-f57572b678f20d269cd1ea474a42c2eb4c727221.tar.gz | |
e system - add new uber setuid tool to replace all the previous ones
so e has had a bit of a mess of setuid root tools to do things that
are essential to maintaing a functioning desktop/laptop/tablet/phone
like device like shutting it down or suspending or sqizzling the cpu
governor or messing with the backlight or... you get the idea.
this has been spread around enlightenment_sys and other special
purpose tools. this now unifies it into a single "always there"
enlightenment_system backend setuid root slave process whose job it is
to do all these things via a stdio protocol in an organized way. this
means latency to do something is lower, but at the expense of
consuming ram and a lurking process. unfortunately the lurking will be
needed soon when i add ddc support to make it even vaguely efficient,
so it's a cost i guess we have to pay now. we'll need this in future
as well for some stats collection and more.
still need to port existing code to use this instead of the existing stuff,
and then remove of the old stuff.
Diffstat (limited to 'data')
| -rw-r--r-- | data/etc/meson.build | 3 | ||||
| -rw-r--r-- | data/etc/system.conf | 67 |
2 files changed, 70 insertions, 0 deletions
diff --git a/data/etc/meson.build b/data/etc/meson.build index 5c0cc7f32d..46ba187a30 100644 --- a/data/etc/meson.build +++ b/data/etc/meson.build @@ -86,3 +86,6 @@ if get_option('install-enlightenment-menu') ) endif +install_data('system.conf', + install_dir: join_paths(dir_sysconf, 'enlightenment') + ) diff --git a/data/etc/system.conf b/data/etc/system.conf new file mode 100644 index 0000000000..6f1355537c --- /dev/null +++ b/data/etc/system.conf @@ -0,0 +1,67 @@ +# Enlightenment System access control file +# +# This should be installed as /etc/enlightenment/system.conf if you wish to +# limit access to enlightenment_system setuid tool. The tool will load this +# file, if it exists, and abort any kind of execution if the file would not +# permit the calling user to use it. If this file does not exist, then any +# user or group will be permitted to run this tool and access its features. +# This file will be installed + +# This file is read in order from top to bottom - the first rule to MATCH +# will be used for a user or a group, and nothing after that is read. + +# Any user or group NOT matched by an allow or a deny will be ALLOWED to +# perform the action by default (system administrators should be aware of +# this and implement whatever policies they see fit). Generally speaking +# a user of a workstation, desktop or laptop is intended to have such abilities +# to perform these actions, thus the default of allow. For multi-user systems +# the system administrator is considered capable enough to restrict what they +# see they need to. + +# A WARNING to admins: do NOT allow access for users to this system remotely +# UNLESS you fully trust them or you have locked down permissions to halt/reboot +# suspend etc. here first. You have been warned. + +# FORMAT: +# +# user: username allow: halt reboot suspend hibernate +# group: groupname deny: * +# group: * deny: * +# user: * allow: suspend +# user: billy allow: halt reboot +# group: staff deny: halt suspend hibernate +# ... etc. ... +# +# user and group name can use glob matches (* == all for example) like the +# shell. as can action names allowed or denied. + +# root is allowed to do anything - but it needs to be here explicitly anyway +user: root allow: * +# members of operator, staff and admin groups should be able to do all +group: operator allow: * +group: staff allow: * +group: admin allow: * +group: sys allow: * +group: wheel allow: * +group: adm allow: * +# common "user" groups for "console users" on desktops/laptops +group: dialout allow: * +group: disk allow: * +group: adm allow: * +group: cdrom allow: * +group: floppy allow: * +group: audio allow: * +group: dip allow: * +group: plugdev allow: * +group: netdev allow: * +group: bluetooth allow: * +group: video allow: * +group: voice allow: * +group: fax allow: * +group: tty allow: * +group: colord allow: * +group: input allow: * +group: sudo allow: * + +# deny everyone else by default +user: * deny: * |