PolicyKit.conf

Langue: en

Autres versions - même langue

Version: 50558 (openSuse - 09/10/07)

Section: 5 (Format de fichier)

Sommaire

NAME

/etc/PolicyKit/PolicyKit.conf - PolicyKit configuration file

DESCRIPTION

The /etc/PolicyKit/PolicyKit.conf configuration file provides a way for system administrators to override policy that mechanisms use libpolkit to determine whether a caller is privileged to use the mechanism in the way specified by the given action identifier.

Changes to this configuration file are not immediately propagated; the utility polkit-reload-config(1) can be used to notify running processes of the changes to the configuration file.

TODO: we need to have a tool to verify the PolicyKit.conf file.

For more information about the big picture refer to the PolicyKit spec which can be found in /usr/share/doc/policykit/spec/polkit-spec.html depending on the distribution.

CONFIGURATION FILE

The configuration file is an XML document. It must have the following doctype declaration:


 <!DOCTYPE pkconfig PUBLIC "-//freedesktop//DTD PolicyKit Configuration 1.0//EN"
 "http://hal.freedesktop.org/releases/PolicyKit/1.0/config.dtd">

The following elements may be present in the configuration file

config

Root element. A single attribute version must be present and must be set to 0.1 at this point. There can only be one config element in the configuration file.

match

This element is for matching information related to the decision making process and includes values describing both the caller and the action. This element can be embedded in both config and other match elements (hence allowing for nested matching).

There can only be a single attribute in each match element and POSIX Extended Regular Expression syntax are supported in the value part. The following attributes are supported:

user
This matches on the user. Both the UNIX uid (e.g. 500) and the user name (e.g. davidz) are tried in the matching process. For example .B user="davidz|504" matches the UNIX user with uid 504 and the UNIX user with the name "davidz".
action
For matching on the action, for example action=hal-storage-* will match on all actions whose name begins with the string with "hal-storage-".

return

This element is for used to specify what result libpolkit should return. It can only be embedded in config and match elements and can embed no elements itself. The return element is typically used deeply inside a number of match elements. A single attribute result is supported and it can assume the following values

no
Access denied.
auth_root
Access denied, but authentication of the caller as root will grant access to only that caller.
auth_root_keep_session
Access denied, but authentication of the caller as root will grant access for the remainder of the session the caller stems from.
auth_root_keep_always
Access denied, but authentication of the caller as root will grant access to the user of the caller in the future.
auth_self
Access denied, but authentication of the caller as himself will grant access to only that caller.
auth_self_keep_session
Access denied, but authentication of the caller as himself will grant access for the remainder of the session the caller stems from.
auth_self_keep_always
Access denied, but authentication of the caller as himself will grant access to the user of the caller in the future.
yes
Access granted.

EXAMPLES

For brevity the standard XML and doctype headers are omitted in the following configuration file examples. The actions used may also be fictional, use polkit-list-actions(1) to learn about the actions installed on the system.

ALLOW EVERYTHING


  <config version="0.1">

    <match user="davidz|504">

      <return result="yes"/>

    </match>

  </config>

The two UNIX users "davidz" and user with UNIX uid 504 will be allowed to do any action.

MOUNTING FIXED DRIVES

Suppose the action hal-storage-mount-fixed is used by hald(8) to determine whether mounting internal hard drives are allowed. Then this configuration file


  <config version="0.1">

    <match action="hal-storage-mount-fixed">
      <match user="davidz">

        <return result="yes"/>

      </match>
      <match user="freddy">

        <return result="no"/>

      </match>

    </match>

  </config>

specifies that UNIX user "davidz" is always allowed to do the action, while UNIX user "freddy" is never allowed to do the action.

BUGS

Please send bug reports to either the distribution or the HAL mailing list, see http://lists.freedesktop.org/mailman/listinfo/hal on how to subscribe.

SEE ALSO

PolicyKit(8), polkit-list-actions(1)

AUTHOR

Written by David Zeuthen <david@fubar.dk> with a lot of help from many others.