On Sun 10 Dec 2017 at 15:52:30 +0100, Dejan Jocic wrote: > On 10-12-17, Joe wrote: > > > > I thought you might find more examples helpful. The man page says that > > policies come from /etc/polkit-1 and /var/lib/polkit-1, but on my > > system the /var/lib location is almost empty, and there's a lot > > in /usr/share/polkit-1, almost nothing in /etc/polkit-1. > > > > And, like I've said, thank you for your time. But those examples are all > policy files and local settings are done under > /etc/polkit-1/localauthority.conf.d/ for configuring which users, groups > or netgroups will be considered as admins for authentication, and under > /etc/polkit-1/localauthority/ directories with .pkla extension files > should be used for overriding policies with local settings. At least it > goes like that as far as I could deduct from man pages ( anyone thinking > that I did not understood that well, please correct me ). Now, files
Your understanding is at least as good or better than mine (which isn't itself magnificent). > under /etc/polkit-1/localauthority.conf.d/ I understand, or at least > believe so. What I'm still searching for is better understanding of > those .pkla files. I've read those man pages some time ago, when I've > started with attempts to wrap my head around policikit, but was rather > busy after that and did not completely finish with it. If I understood > it right, about any .pkla file should look something like this: I think this is correct. > [ Description of what it does ] > > Identity=unix-user:someuser;unix-user:someotheruser;unix-group:somegroup;unix-group:someothergroup;unix-netgroup:somegroup;unix-netgroup:someothergroup > Action=something.from.usr.share.polkit-1.actions > ResultAny=no/yes/auth_self/auth_admin/auth_self_keep/auth_admin_keep > ResultInactivee=same/options/as/above > ResultActive=same/options/as/above At least one of the last three lines is needed. But three is ok. > Now, what I believe is that for Identity and Action wildecards are > allowed and that there are no more options aside from ResultAny, The manual mentions globs. > ResultInactive and ResultActive that can follow Action part. And that > no, yes or other values will be returned to Defaults section in that > policy file defined under Action part and change whatever was defined > there. If someone with greater understanding of Polkit could tell me if > I got it right, or not, that would be great. In case that I did not get > that right, any point in right direction, or explanation would be great > too. The best way to understand is to ask for or give a specific example. Suppose Urs Thuermann has got over the shock his 10 years old son's actions gave him and he wanted never to experience such horror again. [No user rebooting, powering off etc] Identity=unix-user:* Action=org.freedesktop.login1.* ResultAny=no ResultActive=no ResultInactive=no should do it. That still leaves CTRL+ALT+DEL from a tty to be taken care of. -- Brian.