Man Linux: Main Page and Category List

NAME

       PolicyKit.conf - PolicyKit configuration file

DESCRIPTION

       The /etc/PolicyKit/PolicyKit.conf configuration file provides a way for
       system administrators to override policy for mechanisms that use the
       PolicyKit library to determine whether a caller is allowed to use the
       mechanism.

       Changes to this configuration file are immediately propagated to
       running processes using the PolicyKit library. If the configuration
       file is invalid, processes using this library will log this fact to the
       system logger and the library will only only return no as the answer to
       processes using it.

       The polkit-config-file-validate(1) tool can be used to verify that the
       configuration file is valid.

FILE FORMAT

       The configuration file is an XML document. It must have the following
       doctype declaration:

           <!DOCTYPE pkconfig PUBLIC
            "-//freedesktop//DTD PolicyKit Configuration 1.0//EN"
            "http://hal.freedesktop.org/releases/PolicyKit/1.0/config.dtd">

       The following elements may be present in the configuration file:

   config
       This is the root element. A single attribute version must be present
       and must be set to "0.1" at this point. There can only be one config
       element in the configuration file.

   match
       This element is for matching information related to the decision making
       process and includes values describing both the caller and the action.
       This element can be embedded in both config and other match elements
       (hence allowing for nested matching).

       There can only be a single attribute in each match element and POSIX
       Extended Regular Expression syntax are supported in the value part. The
       following attributes are supported:

       user
           This matches on the users login name.

       action
           For matching on the given action being queried for, for example
           action="org.foo.*"  will match on all actions whose action
           identifier begins with the string "org.foo.".

   return
       This element is for used to specify what result the PolicyKit library
       will return. It can only be embedded in config and match elements and
       can embed no elements itself. The return element is typically used
       deeply inside a number of match elements. A single attribute, result is
       supported and it can assume the following values:

       no
           Access denied.

       auth_self
           Access denied, but authentication of the caller as himself will
           grant access to only that caller.

       auth_self_keep_session
           Access denied, but authentication of the caller as himself will
           grant access to any caller in the session of the caller belongs to.

       auth_self_keep_always
           Access denied, but authentication of the caller as himself will
           grant access any caller with the given uid in the future.

       auth_admin
           Access denied, but authentication of the caller as an
           administrative user will grant access to only that caller.

       auth_admin_keep_session
           Access denied, but authentication of the caller as an
           administrative user will grant access to any caller in the session
           of the caller belongs to.

       auth_admin_keep_always
           Access denied, but authentication of the caller as an
           administrative user will grant access any caller with the given uid
           in the future.

       yes
           Access granted.

   define_admin_auth
       This element is used to specify the meaning of "authenticate as
       administrator". It is normally used at the top-level but can also be
       used deep inside a number of match elements for conditional behavior.

       There can only be a single attribute in each define_admin_auth element.
       POSIX Extended Regular Expression syntax is not supported in the value
       part, however multiple values to match on can be separated with the bar
       (|) character. The following attributes are supported:

       user
           Administrator authentication means authenticate as the given
           user(s). If no define_admin_auth element is given, the default is
           to use user="root" e.g. administrator authentication mean
           authenticate as the super user.

       group
           Administrator authentication means that any user in the groups
           matching the given value can be used to authenticate. Typically, on
           a system with the root account disabled one wants to use something
           like group="wheel" to e.g. enable all UNIX users in the UNIX group
           wheel to be able to authentication whenever administrator
           authentication is required.

EXAMPLES

       For brevity, the standard XML and DOCTYPE headers as well as the
       top-level config are omitted in the following configuration file
       examples. The actions used may also be fictional, use polkit-action(1),
       to learn about the actions available on your system.

   ALLOW EVERYTHING
       The users "davidz" and "bateman" are allowed to do any action:

           <match user="davidz|bateman">
             <return result="yes"/>
           </match>

   MOUNTING FIXED DRIVES
       Suppose the action org.freedesktop.hal.storage.mount-fixed is used to
       determine whether mounting internal hard drives are allowed. Then this
       configuration file

           <match action="org.freedesktop.hal.storage.mount-fixed">
             <match user="davidz">
               <return result="yes"/>
             </match>
             <match user="freddy">
               <return result="no"/>
             </match>
           </match>

       specifies that user "davidz" is always allowed to do the action, while
       user "freddy" is never allowed to do the action. Other users will be
       subject to the defaults results specified in the .policy file
       describing the action.

   AVOIDING THE ROOT PASSWORD
       Suppose the group wheel contains the users on a system who are allowed
       to carry out administrative tasks (ie. tasks that would usually require
       the root password) on a system where the root account is disabled. Then

           <define_admin_auth group="wheel"/>

       can be used to specify that users in said group can authenticate using
       their own password in instances where the system would normally prompt
       for the root password.

AUTHOR

       Written by David Zeuthen david@fubar.dk with a lot of help from many
       others.

BUGS

       Please send bug reports to either the distribution or the hal mailing
       list, see http://lists.freedesktop.org/mailman/listinfo/hal. to
       subscribe.

SEE ALSO

       PolicyKit(8), polkit-config-file-validate(1), polkit-action(1), polkit-
       auth(1)