On 09-12-17, Brian wrote: > On Sat 09 Dec 2017 at 20:07:17 +0100, Dejan Jocic wrote: > > > On 09-12-17, Jonathan Dowland wrote: > > > On Sat, 2017-12-09 at 10:00 +0000, Brian wrote: > > > > Consistencey can be achieved by not installing policykit. The OP > > > > appears to have chosen the wrong target.Consistencey can be achieved > > > > > by not installing policykit. > > > > > > As Michael pointed out in [1], that's not the case; prior to polkit, > > > there was no consistency. > > > > > > > > > [1] <8430b277-3757-8261-0e1e-23e274a0b...@debian.org> > > > > > > > Is it anywhere in Debian documentation described how to achieve > > consistency in a way different than current defaults? Or, even better, > > is there way that we could get some kind of configuration option to > > achieve it? Polkit does not really have user friendly configuration and > > is not really something that system administrators configure on a > > everyday bases. At least not in my experience. Only thing that I did > > find about configuring polkit was from some other distros. Debian wiki > > page about PolicyKit is not really helpful. > > Apart from not installing policykit, setting allow_active to "no" in > /usr/share/polkit-1/actions/org.freedesktop.login1.policy would do it. > > Much better is to use /etc/polkit-1/localauthority. See the manual for > pklocalauthority. > > -- > Brian. >
Man page for pklocalauthority is bit more helpful, but far from self explanatory. In its examples section, it provides some insight about writing .pkla files, but it does not show all possible options, or at least I can't be sure that it does. For example: [Exclude Some Problematic Users] Identity=unix-user:homer;unix-user:grimes Action=com.example.awesomeproduct.* ResultAny=no ResultInactive=no ResultActive=auth_admin According to that, and after reading man page for polkit, I can only deduct that .pkla file will for that example in that com.example.awesomeproduct.* files reads lines under defaults and "answer" on allow_any and allow_inactive with no value and on allow_active with auth_admin value. Fine, that can work. Guess that you can use wildecards for all users, like unix-user:*, but that is only guess, cause I can't see it documented anywhere ( might have missed it). What I also do not see anywhere is if those are the only options available? Or there is some man page, or additional documentation in Debian that can explain that? Thank you for your time, Dejan