# ENLIGHTENMENT SYSTEM ACTIONS CONFIGURATION # # This is a system configuration for allowing or denying certain users or # groups to be able to do certain actions that involve system restricted # actions such as halt, reboot, suspend, hibernate etc. # # This file is read in order from top to bottom - the first rule to MATCH # will be used for a user or a group, and nothing after that is read. # # You must put all the ACTION definitons BEFORE user and group rule matches. # Any action definitons after a rule match has been found will be ignored. # This allows actions to be re-defined for different user groups, so matches # so the command for an action can change for matches to the rules later on. # # Any user or group NOT matched by an allow or a deny will be ALLOWED to # perform the action by default (system administrators should be aware of # this and implement whatever policies they see fit). Generally speaking # a user of a workstation, desktop or laptop is intended to have such abilities # to perform these actions, thus the default of allow. For multi-user systems # the system administrator is considerd capable enough to restrict what they # see they need to. # # A WARNING to admins: do NOT allow access for users to this system remotely # UNLESS you fully trust them or you have locked down permissions to halt/reboot # suspend etc. here first. You have been warned. # # FORMAT: # # action: halt /sbin/shutdown -h now # action: reboot /sbin/shutdown -r now # action: suspend /etc/acpi/sleep.sh force # action: hibernate /etc/acpi/hibernate.sh force # # user: username allow: halt reboot suspend hibernate # group: groupname deny: * # group: * deny: * # user: * allow: suspend # user: billy allow: halt reboot # group: staff deny: halt suspend hibernate # # etc. # # user and group name can use glob matches (* == all for example) like the # shell. as can action names allowed or denied. action: halt /sbin/shutdown -h now action: reboot /sbin/shutdown -r now action: suspend /usr/sbin/pm-suspend action: hibernate /usr/sbin/pm-hibernate # on FreeBSD use this instead of the above. #action suspend /usr/sbin/zzz # root is allowed to do anything - but it needs to be here explicitly anyway user: root allow: * # members of operator, staff and admin groups should be able to do all group: operator allow: * group: staff allow: * group: admin allow: * group: sys allow: * group: wheel allow: * # common "user" groups for "console users" on desktops/laptops group: dialout allow: * group: disk allow: * group: adm allow: * group: cdrom allow: * group: floppy allow: * group: audio allow: * group: dip allow: * group: plugdev allow: * # put in a list of other users and groups here that are allowed or denied etc. # e.g. # user: myuser allow: * # user: another allow: suspend hibernate # deny everyone else by default user: * deny: *