Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
POLICYKIT.CONF(5)		PolicyKit.conf		     POLICYKIT.CONF(5)

NAME
       PolicyKit.conf -	PolicyKit configuration	file

DESCRIPTION
       The /etc/PolicyKit/PolicyKit.conf configuration file provides a way for
       system administrators to	override policy	for mechanisms that use	the
       PolicyKit library to determine whether a	caller is allowed to use the
       mechanism.

       Changes to this configuration file are immediately propagated to
       running processes using the PolicyKit library. If the configuration
       file is invalid,	processes using	this library will log this fact	to the
       system logger and the library will only only return no as the answer to
       processes using it.

       The polkit-config-file-validate(1) tool can be used to verify that the
       configuration file is valid.

FILE FORMAT
       The configuration file is an XML	document. It must have the following
       doctype declaration:

	   <!DOCTYPE pkconfig PUBLIC
	    "-//freedesktop//DTD PolicyKit Configuration 1.0//EN"
	    "http://hal.freedesktop.org/releases/PolicyKit/1.0/config.dtd">

       The following elements may be present in	the configuration file:

   config
       This is the root	element. A single attribute version must be present
       and must	be set to "0.1"	at this	point. There can only be one config
       element in the configuration file.

   match
       This element is for matching information	related	to the decision	making
       process and includes values describing both the caller and the action.
       This element can	be embedded in both config and other match elements
       (hence allowing for nested matching).

       There can only be a single attribute in each match element and POSIX
       Extended	Regular	Expression syntax are supported	in the value part. The
       following attributes are	supported:

       user
	   This	matches	on the users login name.

       action
	   For matching	on the given action being queried for, for example
	   action="org.foo.*"  will match on all actions whose action
	   identifier begins with the string "org.foo.".

   return
       This element is for used	to specify what	result the PolicyKit library
       will return. It can only	be embedded in config and match	elements and
       can embed no elements itself. The return	element	is typically used
       deeply inside a number of match elements. A single attribute, result is
       supported and it	can assume the following values:

       no
	   Access denied.

       auth_self
	   Access denied, but authentication of	the caller as himself will
	   grant access	to only	that caller.

       auth_self_keep_session
	   Access denied, but authentication of	the caller as himself will
	   grant access	to any caller in the session of	the caller belongs to.

       auth_self_keep_always
	   Access denied, but authentication of	the caller as himself will
	   grant access	any caller with	the given uid in the future.

       auth_admin
	   Access denied, but authentication of	the caller as an
	   administrative user will grant access to only that caller.

       auth_admin_keep_session
	   Access denied, but authentication of	the caller as an
	   administrative user will grant access to any	caller in the session
	   of the caller belongs to.

       auth_admin_keep_always
	   Access denied, but authentication of	the caller as an
	   administrative user will grant access any caller with the given uid
	   in the future.

       yes
	   Access granted.

   define_admin_auth
       This element is used to specify the meaning of "authenticate as
       administrator". It is normally used at the top-level but	can also be
       used deep inside	a number of match elements for conditional behavior.

       There can only be a single attribute in each define_admin_auth element.
       POSIX Extended Regular Expression syntax	is not supported in the	value
       part, however multiple values to	match on can be	separated with the bar
       (|) character. The following attributes are supported:

       user
	   Administrator authentication	means authenticate as the given
	   user(s). If no define_admin_auth element is given, the default is
	   to use user="root" e.g. administrator authentication	mean
	   authenticate	as the super user.

       group
	   Administrator authentication	means that any user in the groups
	   matching the	given value can	be used	to authenticate. Typically, on
	   a system with the root account disabled one wants to	use something
	   like	group="wheel" to e.g. enable all UNIX users in the UNIX	group
	   wheel to be able to authentication whenever administrator
	   authentication is required.

EXAMPLES
       For brevity, the	standard XML and DOCTYPE headers as well as the
       top-level config	are omitted in the following configuration file
       examples. The actions used may also be fictional, use polkit-action(1),
       to learn	about the actions available on your system.

   ALLOW EVERYTHING
       The users "davidz" and "bateman"	are allowed to do any action:

	   <match user="davidz|bateman">
	     <return result="yes"/>
	   </match>

   MOUNTING FIXED DRIVES
       Suppose the action org.freedesktop.hal.storage.mount-fixed is used to
       determine whether mounting internal hard	drives are allowed. Then this
       configuration file

	   <match action="org.freedesktop.hal.storage.mount-fixed">
	     <match user="davidz">
	       <return result="yes"/>
	     </match>
	     <match user="freddy">
	       <return result="no"/>
	     </match>
	   </match>

       specifies that user "davidz" is always allowed to do the	action,	while
       user "freddy" is	never allowed to do the	action.	Other users will be
       subject to the defaults results specified in the	.policy	file
       describing the action.

   AVOIDING THE	ROOT PASSWORD
       Suppose the group wheel contains	the users on a system who are allowed
       to carry	out administrative tasks (ie. tasks that would usually require
       the root	password) on a system where the	root account is	disabled. Then

	   <define_admin_auth group="wheel"/>

       can be used to specify that users in said group can authenticate	using
       their own password in instances where the system	would normally prompt
       for the root password.

AUTHOR
       Written by David	Zeuthen	<david@fubar.dk> with a	lot of help from many
       others.

BUGS
       Please send bug reports to either the distribution or the hal mailing
       list, see http://lists.freedesktop.org/mailman/listinfo/hal. to
       subscribe.

SEE ALSO
       PolicyKit(8), polkit-config-file-validate(1), polkit-action(1), polkit-
       auth(1)

PolicyKit			  August 2007		     POLICYKIT.CONF(5)

NAME | DESCRIPTION | FILE FORMAT | EXAMPLES | AUTHOR | BUGS | SEE ALSO

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=PolicyKit.conf&sektion=5&manpath=FreeBSD+12.2-RELEASE+and+Ports>

home | help