Unix/Linux Go Back    


X11R7.4 - man page for policykit.conf (x11r4 section 5)

Linux & Unix Commands - Search Man Pages
Man Page or Keyword Search:   man
Select Man Page Set:       apropos Keyword Search (sections above)


POLICYKIT.CONF(5)			  PolicyKit.conf			POLICYKIT.CONF(5)

NAME
       PolicyKit.conf - PolicyKit configuration file

DESCRIPTION
       The /etc/PolicyKit/PolicyKit.conf configuration file provides a way for system
       administrators to override policy for mechanisms that use the PolicyKit library to
       determine whether a caller is allowed to use the mechanism.

       Changes to this configuration file are immediately propagated to running processes using
       the PolicyKit library. If the configuration file is invalid, processes using this library
       will log this fact to the system logger and the library will only only return no as the
       answer to processes using it.

       The polkit-config-file-validate(1) tool can be used to verify that the configuration file
       is valid.

FILE FORMAT
       The configuration file is an XML document. It must have the following doctype declaration:

	   <!DOCTYPE pkconfig PUBLIC
	    "-//freedesktop//DTD PolicyKit Configuration 1.0//EN"
	    "http://hal.freedesktop.org/releases/PolicyKit/1.0/config.dtd">

       The following elements may be present in the configuration file:

   config
       This is the root element. A single attribute version must be present and must be set to
       "0.1" at this point. There can only be one config element in the configuration file.

   match
       This element is for matching information related to the decision making process and
       includes values describing both the caller and the action. This element can be embedded in
       both config and other match elements (hence allowing for nested matching).

       There can only be a single attribute in each match element and POSIX Extended Regular
       Expression syntax are supported in the value part. The following attributes are supported:

       user
	   This matches on the users login name.

       action
	   For matching on the given action being queried for, for example action="org.foo.*"
	   will match on all actions whose action identifier begins with the string "org.foo.".

   return
       This element is for used to specify what result the PolicyKit library will return. It can
       only be embedded in config and match elements and can embed no elements itself. The return
       element is typically used deeply inside a number of match elements. A single attribute,
       result is supported and it can assume the following values:

       no
	   Access denied.

       auth_self
	   Access denied, but authentication of the caller as himself will grant access to only
	   that caller.

       auth_self_keep_session
	   Access denied, but authentication of the caller as himself will grant access to any
	   caller in the session of the caller belongs to.

       auth_self_keep_always
	   Access denied, but authentication of the caller as himself will grant access any
	   caller with the given uid in the future.

       auth_admin
	   Access denied, but authentication of the caller as an administrative user will grant
	   access to only that caller.

       auth_admin_keep_session
	   Access denied, but authentication of the caller as an administrative user will grant
	   access to any caller in the session of the caller belongs to.

       auth_admin_keep_always
	   Access denied, but authentication of the caller as an administrative user will grant
	   access any caller with the given uid in the future.

       yes
	   Access granted.

   define_admin_auth
       This element is used to specify the meaning of "authenticate as administrator". It is
       normally used at the top-level but can also be used deep inside a number of match elements
       for conditional behavior.

       There can only be a single attribute in each define_admin_auth element. POSIX Extended
       Regular Expression syntax is not supported in the value part, however multiple values to
       match on can be separated with the bar (|) character. The following attributes are
       supported:

       user
	   Administrator authentication means authenticate as the given user(s). If no
	   define_admin_auth element is given, the default is to use user="root" e.g.
	   administrator authentication mean authenticate as the super user.

       group
	   Administrator authentication means that any user in the groups matching the given
	   value can be used to authenticate. Typically, on a system with the root account
	   disabled one wants to use something like group="wheel" to e.g. enable all UNIX users
	   in the UNIX group wheel to be able to authentication whenever administrator
	   authentication is required.

EXAMPLES
       For brevity, the standard XML and DOCTYPE headers as well as the top-level config are
       omitted in the following configuration file examples. The actions used may also be
       fictional, use polkit-action(1), to learn about the actions available on your system.

   ALLOW EVERYTHING
       The users "davidz" and "bateman" are allowed to do any action:

	   <match user="davidz|bateman">
	     <return result="yes"/>
	   </match>

   MOUNTING FIXED DRIVES
       Suppose the action org.freedesktop.hal.storage.mount-fixed is used to determine whether
       mounting internal hard drives are allowed. Then this configuration file

	   <match action="org.freedesktop.hal.storage.mount-fixed">
	     <match user="davidz">
	       <return result="yes"/>
	     </match>
	     <match user="freddy">
	       <return result="no"/>
	     </match>
	   </match>

       specifies that user "davidz" is always allowed to do the action, while user "freddy" is
       never allowed to do the action. Other users will be subject to the defaults results
       specified in the .policy file describing the action.

   AVOIDING THE ROOT PASSWORD
       Suppose the group wheel contains the users on a system who are allowed to carry out
       administrative tasks (ie. tasks that would usually require the root password) on a system
       where the root account is disabled. Then

	   <define_admin_auth group="wheel"/>

       can be used to specify that users in said group can authenticate using their own password
       in instances where the system would normally prompt for the root password.

AUTHOR
       Written by David Zeuthen david@fubar.dk with a lot of help from many others.

BUGS
       Please send bug reports to either the distribution or the hal mailing list, see
       http://lists.freedesktop.org/mailman/listinfo/hal. to subscribe.

SEE ALSO
       PolicyKit(8), polkit-config-file-validate(1), polkit-action(1), polkit-auth(1)

PolicyKit				   August 2007				POLICYKIT.CONF(5)
Unix & Linux Commands & Man Pages : ©2000 - 2018 Unix and Linux Forums


All times are GMT -4. The time now is 04:15 PM.