diff options
Diffstat (limited to 'data')
| -rw-r--r-- | data/etc/meson.build | 3 | ||||
| -rw-r--r-- | data/etc/system.conf | 67 |
2 files changed, 70 insertions, 0 deletions
diff --git a/data/etc/meson.build b/data/etc/meson.build index 5c0cc7f32d..46ba187a30 100644 --- a/data/etc/meson.build +++ b/data/etc/meson.build @@ -86,3 +86,6 @@ if get_option('install-enlightenment-menu') ) endif +install_data('system.conf', + install_dir: join_paths(dir_sysconf, 'enlightenment') + ) diff --git a/data/etc/system.conf b/data/etc/system.conf new file mode 100644 index 0000000000..6f1355537c --- /dev/null +++ b/data/etc/system.conf @@ -0,0 +1,67 @@ +# Enlightenment System access control file +# +# This should be installed as /etc/enlightenment/system.conf if you wish to +# limit access to enlightenment_system setuid tool. The tool will load this +# file, if it exists, and abort any kind of execution if the file would not +# permit the calling user to use it. If this file does not exist, then any +# user or group will be permitted to run this tool and access its features. +# This file will be installed + +# This file is read in order from top to bottom - the first rule to MATCH +# will be used for a user or a group, and nothing after that is read. + +# Any user or group NOT matched by an allow or a deny will be ALLOWED to +# perform the action by default (system administrators should be aware of +# this and implement whatever policies they see fit). Generally speaking +# a user of a workstation, desktop or laptop is intended to have such abilities +# to perform these actions, thus the default of allow. For multi-user systems +# the system administrator is considered capable enough to restrict what they +# see they need to. + +# A WARNING to admins: do NOT allow access for users to this system remotely +# UNLESS you fully trust them or you have locked down permissions to halt/reboot +# suspend etc. here first. You have been warned. + +# FORMAT: +# +# user: username allow: halt reboot suspend hibernate +# group: groupname deny: * +# group: * deny: * +# user: * allow: suspend +# user: billy allow: halt reboot +# group: staff deny: halt suspend hibernate +# ... etc. ... +# +# user and group name can use glob matches (* == all for example) like the +# shell. as can action names allowed or denied. + +# root is allowed to do anything - but it needs to be here explicitly anyway +user: root allow: * +# members of operator, staff and admin groups should be able to do all +group: operator allow: * +group: staff allow: * +group: admin allow: * +group: sys allow: * +group: wheel allow: * +group: adm allow: * +# common "user" groups for "console users" on desktops/laptops +group: dialout allow: * +group: disk allow: * +group: adm allow: * +group: cdrom allow: * +group: floppy allow: * +group: audio allow: * +group: dip allow: * +group: plugdev allow: * +group: netdev allow: * +group: bluetooth allow: * +group: video allow: * +group: voice allow: * +group: fax allow: * +group: tty allow: * +group: colord allow: * +group: input allow: * +group: sudo allow: * + +# deny everyone else by default +user: * deny: * |