set org.freedesktop.accounts.user-administration to auth_admin_keep
[opensuse:polkit-default-privs.git] / polkit-default-privs.restrictive
1 #
2 # /etc/polkit-default-privs.restrictive use in an envirenment where
3 # hosts are centrally administered and users should have minimal
4 # privileges. Privileged operations require authentication as admin.
5 #
6 #
7 # Please do not modify this file, use polkit-default-privs.local instead.
8 #
9 org.freedesktop.policykit.read                                  auth_admin_keep_always
10 org.freedesktop.policykit.revoke                                auth_admin_keep_always
11 org.freedesktop.policykit.grant                                 auth_admin_keep_always
12 org.freedesktop.policykit.modify-defaults                       auth_admin_keep_always
13 #
14 org.freedesktop.network-manager-settings.system.modify          auth_admin_keep_always
15 org.freedesktop.network-manager-settings.system.hostname.modify auth_admin_keep
16 org.freedesktop.network-manager-settings.system.wifi.share.protected auth_admin
17 org.freedesktop.network-manager-settings.system.wifi.share.open auth_admin
18 org.freedesktop.NetworkManager.enable-disable-network           auth_admin
19 org.freedesktop.NetworkManager.enable-disable-wifi              auth_admin
20 org.freedesktop.NetworkManager.enable-disable-wwan              auth_admin
21 org.freedesktop.NetworkManager.use-user-connections             auth_admin
22 org.freedesktop.NetworkManager.network-control                  auth_admin
23 org.freedesktop.NetworkManager.sleep-wake                       auth_admin
24 # bnc#680140
25 org.freedesktop.NetworkManager.enable-disable-wimax             auth_admin
26 org.freedesktop.NetworkManager.wifi.share.protected             auth_admin
27 org.freedesktop.NetworkManager.wifi.share.open                  auth_admin
28 org.freedesktop.NetworkManager.settings.modify.own              auth_admin
29 org.freedesktop.NetworkManager.settings.modify.system           auth_admin
30 org.freedesktop.NetworkManager.settings.modify.hostname         auth_admin
31 #
32 org.freedesktop.hal.killswitch.bluetooth                        auth_admin_keep_always
33 org.freedesktop.hal.killswitch.wlan                             auth_admin_keep_always
34 org.freedesktop.hal.killswitch.wwan                             auth_admin_keep_always
35 org.freedesktop.hal.lock                                        auth_admin_keep_always
36 org.freedesktop.hal.storage.mount-fixed                         auth_admin_keep_always
37 org.freedesktop.hal.storage.mount-removable                     auth_admin_keep_always
38 org.freedesktop.hal.storage.unmount-others                      auth_admin_keep_always
39 org.freedesktop.hal.storage.eject                               auth_admin_keep_always
40 org.freedesktop.hal.storage.crypto-setup-fixed                  auth_admin_keep_always
41 org.freedesktop.hal.storage.crypto-setup-removable              auth_admin_keep_always
42 org.freedesktop.hal.wol.enabled                                 auth_admin_keep_always
43 org.freedesktop.hal.wol.enable                                  auth_admin_keep_always
44 org.freedesktop.hal.wol.supported                               auth_admin_keep_always
45 # shutdown/reboot should be consistent with consolekit
46 org.freedesktop.hal.power-management.shutdown                   auth_admin_keep_always
47 org.freedesktop.hal.power-management.shutdown-multiple-sessions auth_admin
48 org.freedesktop.hal.power-management.reboot                     auth_admin_keep_always
49 org.freedesktop.hal.power-management.reboot-multiple-sessions   auth_admin
50 org.freedesktop.hal.power-management.set-powersave              auth_admin_keep_always
51 org.freedesktop.hal.power-management.suspend                    auth_admin_keep_always
52 org.freedesktop.hal.power-management.hibernate                  auth_admin_keep_always
53 org.freedesktop.hal.power-management.standby                    auth_admin_keep_always
54 org.freedesktop.hal.power-management.cpufreq                    auth_admin_keep_always
55 org.freedesktop.hal.power-management.lcd-panel                  auth_admin_keep_always
56 org.freedesktop.hal.power-management.light-sensor               auth_admin_keep_always
57 org.freedesktop.hal.power-management.keyboard-backlight         auth_admin_keep_always
58 org.freedesktop.hal.dockstation.undock                          auth_admin_keep_always
59 org.freedesktop.hal.leds.brightness                             auth_admin_keep_always
60 #
61 # device access
62 #
63 org.freedesktop.hal.device-access.sound                         auth_admin_keep_always:yes:yes
64 org.freedesktop.hal.device-access.video4linux                   auth_admin_keep_always:yes:yes
65 org.freedesktop.hal.device-access.cdrom                         auth_admin_keep_always:yes:yes
66 org.freedesktop.hal.device-access.dvb                           auth_admin_keep_always:yes:yes
67 org.freedesktop.hal.device-access.camera                        auth_admin_keep_always:yes:yes
68 org.freedesktop.hal.device-access.scanner                       auth_admin_keep_always:yes:yes
69 org.freedesktop.hal.device-access.audio-player                  auth_admin_keep_always:yes:yes
70 org.freedesktop.hal.device-access.ieee1394-iidc                 auth_admin_keep_always:yes:yes
71 org.freedesktop.hal.device-access.ieee1394-avc                  auth_admin_keep_always:yes:yes
72 org.freedesktop.hal.device-access.pda                           auth_admin_keep_always:yes:yes
73 org.freedesktop.hal.device-access.floppy                        auth_admin_keep_always:yes:yes
74 org.freedesktop.hal.device-access.modem                         auth_admin_keep_always
75 org.freedesktop.hal.device-access.joystick                      auth_admin_keep_always:yes:yes
76 org.freedesktop.hal.device-access.mouse                         auth_admin_keep_always:yes:yes
77 org.freedesktop.hal.device-access.video                         auth_admin_keep_always:yes:yes
78 org.freedesktop.hal.device-access.fingerprint-reader            auth_admin_keep_always:yes:yes
79 org.freedesktop.hal.device-access.obex                          auth_admin_keep_always
80 org.freedesktop.hal.device-access.ppdev                         auth_admin_keep_always
81 org.freedesktop.hal.device-access.removable-block               auth_admin_keep_always
82 #
83 org.libvirt.unix.monitor                                        auth_admin_keep_always
84 org.libvirt.unix.manage                                         auth_admin_keep_always
85 #
86 # gnome-settings-daemon (bnc#690496)
87 #
88 org.gnome.settingsdaemon.datetimemechanism.configure            auth_admin_keep
89 #
90 # colord (bnc#698250)
91 #
92 org.freedesktop.color-manager.create-device                     auth_admin
93 org.freedesktop.color-manager.create-profile                    auth_admin
94 org.freedesktop.color-manager.delete-device                     auth_admin
95 org.freedesktop.color-manager.delete-profile                    auth_admin
96 org.freedesktop.color-manager.modify-device                     auth_admin
97 org.freedesktop.color-manager.modify-profile                    auth_admin
98 org.freedesktop.color-manager.install-system-wide               auth_admin
99 org.freedesktop.color-manager.device-inhibit                    auth_admin
100 org.freedesktop.color-manager.sensor-lock                       auth_admin
101 #
102 # package kit
103 #
104 org.freedesktop.packagekit.package-install                      auth_admin_keep_always
105 org.freedesktop.packagekit.package-install-untrusted            auth_admin
106 org.freedesktop.packagekit.system-trust-signing-key             auth_admin
107 org.freedesktop.packagekit.package-eula-accept                  auth_admin_keep_always
108 org.freedesktop.packagekit.package-remove                       auth_admin_keep_always
109 org.freedesktop.packagekit.system-update                        auth_admin_keep_always
110 org.freedesktop.packagekit.system-rollback                      auth_admin_keep_always
111 org.freedesktop.packagekit.system-sources-configure             auth_admin_keep_always
112 org.freedesktop.packagekit.system-sources-refresh               auth_admin_keep_always
113 org.freedesktop.packagekit.system-network-proxy-configure       auth_admin_keep_always
114 org.freedesktop.packagekit.cancel-foreign                       auth_admin_keep
115 org.freedesktop.packagekit.device-rebind                        auth_admin_keep
116 org.freedesktop.packagekit.system-change-install-root           auth_admin
117 org.freedesktop.packagekit.upgrade-system                       auth_admin
118 #
119 org.pulseaudio.acquire-real-time                                auth_admin_keep_always
120 org.pulseaudio.acquire-high-priority                            auth_admin_keep_always
121 #
122 # gconf
123 #
124 org.gnome.gconf.defaults.set-system                             auth_admin_keep
125 org.gnome.gconf.defaults.set-mandatory                          auth_admin_keep
126 #
127 # just an example program
128 #
129 org.gnome.policykit.examples.jump                               no:no:auth_self_one_shot
130 org.gnome.policykit.examples.frobnicate                         no:no:auth_self
131 org.gnome.policykit.examples.tweak                              no:no:auth_admin
132 org.gnome.policykit.examples.twiddle                            no:no:auth_admin_keep_always
133 org.gnome.policykit.examples.punch                              no:no:auth_self_keep_session
134 org.gnome.policykit.examples.toggle                             no:no:auth_admin_keep_always
135 org.gnome.policykit.examples.kick-foo                           no:no:auth_self
136 org.gnome.policykit.examples.kick-bar                           no:no:auth_self
137 org.gnome.policykit.examples.kick-baz                           no:no:auth_self
138 #
139 # should be consistent with hal
140 org.freedesktop.consolekit.system.stop                          auth_admin_keep_always
141 org.freedesktop.consolekit.system.stop-multiple-users           auth_admin_keep_always
142 org.freedesktop.consolekit.system.restart                       auth_admin_keep_always
143 org.freedesktop.consolekit.system.restart-multiple-users        auth_admin_keep_always
144 #
145 # smpppd
146 #
147 org.opensuse.smpppd.connect                                     auth_admin_keep_always
148
149 #
150 # backup-manager
151 #
152 org.opensuse.backupmanager.schedule                             auth_admin
153
154 #
155 # system-config-printer
156 #
157 org.opensuse.cupspkhelper.mechanism.printer-set-default         auth_admin_keep
158 org.opensuse.cupspkhelper.mechanism.printer-enable              auth_admin_keep
159 org.opensuse.cupspkhelper.mechanism.printer-local-edit          auth_admin_keep
160 org.opensuse.cupspkhelper.mechanism.printer-remote-edit         auth_admin_keep
161 org.opensuse.cupspkhelper.mechanism.class-edit                  auth_admin_keep
162 org.opensuse.cupspkhelper.mechanism.server-settings             auth_admin_keep
163 org.opensuse.cupspkhelper.mechanism.printeraddremove            auth_admin_keep
164 org.opensuse.cupspkhelper.mechanism.job-edit                    auth_admin_keep
165 org.opensuse.cupspkhelper.mechanism.job-not-owned-edit          auth_admin_keep
166 org.opensuse.cupspkhelper.mechanism.devices-get                 auth_admin_keep
167 org.opensuse.cupspkhelper.mechanism.all-edit                    auth_admin_keep
168
169 #
170 # Firewall Zone Switcher
171 #
172 org.opensuse.zoneswitcher.control                               auth_admin
173
174 #
175 # RealTimeKit
176 #
177 org.freedesktop.RealtimeKit1.acquire-high-priority              auth_admin
178 org.freedesktop.RealtimeKit1.acquire-real-time                  auth_admin
179
180 #
181 # polkit-1
182 #
183 org.freedesktop.policykit.exec                                  auth_admin
184 org.freedesktop.policykit.lockdown                              auth_admin
185 # example progam
186 org.freedesktop.policykit.example.pkexec.run-frobnicate         auth_admin
187
188 #
189 # device-kit. Should be consitent with hal
190 #
191 org.freedesktop.udisks.filesystem-mount                auth_admin
192 org.freedesktop.udisks.filesystem-mount-system-internal auth_admin
193 org.freedesktop.udisks.filesystem-check                auth_admin
194 org.freedesktop.udisks.filesystem-check-system-internal auth_admin
195 org.freedesktop.udisks.filesystem-unmount-others       auth_admin
196 org.freedesktop.udisks.filesystem-lsof                 auth_admin
197 org.freedesktop.udisks.filesystem-lsof-system-internal auth_admin
198 org.freedesktop.udisks.drive-eject                     auth_admin
199 org.freedesktop.udisks.drive-detach                    auth_admin
200 org.freedesktop.udisks.change                          auth_admin
201 org.freedesktop.udisks.change-system-internal          auth_admin
202 org.freedesktop.udisks.drive-ata-smart-refresh         auth_admin
203 org.freedesktop.udisks.drive-ata-smart-selftest        auth_admin
204 org.freedesktop.udisks.drive-ata-smart-retrieve-historical-data auth_admin
205 org.freedesktop.udisks.luks-unlock                     auth_admin
206 org.freedesktop.udisks.luks-lock-others                auth_admin
207 org.freedesktop.udisks.linux-md                        auth_admin
208 org.freedesktop.udisks.cancel-job-others               auth_admin
209 org.freedesktop.udisks.inhibit-polling                 auth_admin
210 org.freedesktop.udisks.drive-set-spindown              auth_admin
211 org.freedesktop.udisks.linux-lvm2                      auth_admin
212 #
213 org.freedesktop.upower.suspend                         auth_admin
214 org.freedesktop.upower.hibernate                       auth_admin
215 org.freedesktop.upower.qos.request-latency             auth_admin
216 org.freedesktop.upower.qos.request-latency-persistent  auth_admin
217 org.freedesktop.upower.qos.set-minimum-latency         auth_admin
218 org.freedesktop.upower.qos.cancel-request              auth_admin
219
220 #
221 # YaST
222 #
223 org.opensuse.yast.module-manager.import                         auth_admin
224 org.opensuse.yast.module-manager.lock                           auth_admin
225 org.opensuse.yast.modules.yapi.language.read                    no
226 org.opensuse.yast.modules.yapi.language.write                   no
227 org.opensuse.yast.modules.yapi.time.read                        no
228 org.opensuse.yast.modules.yapi.time.write                       no
229 org.opensuse.yast.modules.ysr.statelessregister                 auth_admin_keep_session
230 org.opensuse.yast.modules.ysr.getregistrationconfig             auth_admin_keep_session
231 org.opensuse.yast.modules.ysr.setregistrationconfig             auth_admin_keep_session
232 org.opensuse.yast.scr.read                                      auth_admin
233 org.opensuse.yast.scr.write                                     auth_admin
234 org.opensuse.yast.scr.execute                                   auth_admin
235 org.opensuse.yast.scr.dir                                       auth_admin
236 org.opensuse.yast.scr.registeragent                             auth_admin
237 org.opensuse.yast.scr.unregisteragent                           auth_admin
238 org.opensuse.yast.scr.unmountagent                              auth_admin
239 org.opensuse.yast.scr.error                                     auth_admin
240 org.opensuse.yast.scr.unregisterallagents                       auth_admin
241 org.opensuse.yast.scr.registernewagents                         auth_admin
242 # webyast
243 org.opensuse.yast.permissions.read                              no
244 org.opensuse.yast.permissions.write                             no
245 org.opensuse.yast.modules.eulas.accept                          no
246 org.opensuse.yast.modules.yapi.activedirectory.read             no
247 org.opensuse.yast.modules.yapi.activedirectory.write            no
248 org.opensuse.yast.modules.yapi.firewall.read                    no
249 org.opensuse.yast.modules.yapi.firewall.write                   no
250 org.opensuse.yast.modules.yapi.kerberos.read                    no
251 org.opensuse.yast.modules.yapi.kerberos.write                   no
252 org.opensuse.yast.modules.yapi.ldap.read                        no
253 org.opensuse.yast.modules.yapi.ldap.write                       no
254 org.opensuse.yast.modules.yapi.mailsettings.read                no
255 org.opensuse.yast.modules.yapi.mailsettings.write               no
256 org.opensuse.yast.modules.yapi.ntp.synchronize                  no
257 org.opensuse.yast.modules.yapi.ntp.setserver                    no
258 org.opensuse.yast.roles.assign                                  no
259 org.opensuse.yast.roles.modify                                  no
260 org.opensuse.yast.modules.yapi.administrator.read               no
261 org.opensuse.yast.modules.yapi.administrator.write              no
262 org.opensuse.yast.modules.yapi.services.read                    no
263 org.opensuse.yast.modules.yapi.services.execute                 no
264 org.opensuse.yast.system.repositories.read                      no
265 org.opensuse.yast.system.repositories.write                     no
266 org.opensuse.yast.system.packages.read                          no
267 org.opensuse.yast.system.patches.read                           no
268 org.opensuse.yast.system.patches.install                        no
269 org.opensuse.yast.system.status.read                            no
270 org.opensuse.yast.system.status.writelimits                     no
271 org.opensuse.yast.modules.logfile.read                          no
272 org.opensuse.yast.modules.yapi.users.groupsget                  no
273 org.opensuse.yast.modules.yapi.users.groupget                   no
274 org.opensuse.yast.modules.yapi.users.groupadd                   no
275 org.opensuse.yast.modules.yapi.users.groupmodify                no
276 org.opensuse.yast.modules.yapi.users.groupdelete                no
277 org.opensuse.yast.modules.yapi.users.usersget                   no
278 org.opensuse.yast.modules.yapi.users.userget                    no
279 org.opensuse.yast.modules.yapi.users.usermodify                 no
280 org.opensuse.yast.modules.yapi.users.useradd                    no
281 org.opensuse.yast.modules.yapi.users.userdelete                 no
282 org.opensuse.yast.modules.yapi.network.read                     no
283 org.opensuse.yast.modules.yapi.network.write                    no
284 # bnc#687807
285 org.opensuse.yast.system.power-management.reboot                no
286 org.opensuse.yast.system.power-management.shutdown              no
287
288
289 # KDE stuff
290
291 org.kde.fontinst.manage                                         auth_admin
292 org.kde.kcontrol.kcmclock.save                                  auth_admin
293 org.kde.kcontrol.kcmremotewidgets.save                          auth_admin
294 org.kde.ksysguard.processlisthelper.changecpuscheduler          auth_admin
295 org.kde.ksysguard.processlisthelper.changeioscheduler           auth_admin
296 org.kde.ksysguard.processlisthelper.renice                      auth_admin
297 org.kde.ksysguard.processlisthelper.sendsignal                  auth_admin
298 org.kde.polkitkde1.changeexplicitauthorizations                 auth_admin_keep
299 org.kde.polkitkde1.changeimplicitauthorizations                 auth_admin
300 org.kde.polkitkde1.changesystemconfiguration                    auth_admin
301 org.kde.polkitkde1.readauthorizations                           auth_admin_keep
302 org.kde.kcontrol.k3bsetup.save                                  auth_admin
303 org.kde.kcontrol.kcmkdm.managefaces                             auth_admin_keep
304 org.kde.kcontrol.kcmkdm.managethemes                            auth_admin_keep
305 org.kde.kcontrol.kcmkdm.save                                    auth_admin
306 # kde backlight helper (bnc#672145)
307 org.kde.powerdevil.backlighthelper.brightness                   auth_admin
308 org.kde.powerdevil.backlighthelper.setbrightness                auth_admin
309
310 # moblin
311
312 org.moblin.clockapplet.mechanism.settimezone                    auth_admin
313 org.moblin.clockapplet.mechanism.settime                        auth_admin
314 org.moblin.clockapplet.mechanism.configurehwclock               auth_admin
315
316 # systemd (bnc#641924)
317 org.freedesktop.hostname1.set-hostname                          auth_admin
318 org.freedesktop.hostname1.set-static-hostname                   auth_admin
319 org.freedesktop.hostname1.set-machine-info                      auth_admin
320 org.freedesktop.systemd1.reply-password                         auth_admin
321 org.freedesktop.systemd1.bus-access                             auth_admin
322 org.freedesktop.timedate1.set-time                              auth_admin_keep
323 org.freedesktop.timedate1.set-timezone                          auth_admin_keep
324 org.freedesktop.timedate1.set-local-rtc                         auth_admin_keep
325 org.freedesktop.locale1.set-locale                              auth_admin_keep
326 org.freedesktop.login1.set-user-linger                          auth_admin_keep
327 org.freedesktop.login1.attach-device                            auth_admin_keep
328 org.freedesktop.login1.flush-devices                            auth_admin_keep
329
330 # gnome-control-center
331 org.gnome.randr.install-system-wide                             auth_admin
332
333 # gnome-power-manager, bnc#650401
334 org.gnome.power.backlight-helper                                auth_admin
335 # xfce4-power-manager, bnc#665169
336 # code is copy&paste from gnome-power-manager
337 org.xfce.power.backlight-helper                                 auth_admin
338
339 # hp-drive-guard
340 com.hp.driveguard.toggle                                        auth_admin
341 com.hp.driveguard.install-setup                                 auth_admin
342
343 # ModemManager
344 org.freedesktop.ModemManager.Device.Control                     auth_admin
345 org.freedesktop.ModemManager.Device.Info                        auth_admin
346 org.freedesktop.ModemManager.Contacts                           auth_admin
347 org.freedesktop.ModemManager.SMS                                auth_admin
348 org.freedesktop.ModemManager.Location                           auth_admin
349 # (bnc#691896)
350 org.freedesktop.ModemManager.USSD                               auth_admin
351
352 # urfkill (bnc#688328)
353 org.freedesktop.urfkill.block                                   auth_admin
354 org.freedesktop.urfkill.blockidx                                auth_admin
355 org.freedesktop.urfkill.unblock                                 auth_admin
356 org.freedesktop.urfkill.unblockidx                              auth_admin
357 org.freedesktop.urfkill.enablekeycontrol                        auth_admin
358
359 # account services (bnc#676638)
360 org.freedesktop.accounts.user-administration                    auth_admin_keep
361 org.freedesktop.accounts.set-login-option                       auth_admin
362 org.freedesktop.accounts.change-own-user-data                   auth_admin
363
364 ###