# ENLIGHTENMENT SYSTEM ACTIONS CONFIGURATION
#
# This is a system configuration for allowing or denying certain users or
# groups to be able to do certain actions that involve system restricted
# actions such as halt, reboot, suspend, hibernate etc.
# 
# This file is read in order from top to bottom - the first rule to MATCH
# will be used for a user or a group, and nothing after that is read.
#
# You must put all the ACTION definitons BEFORE user and group rule matches.
# Any action definitons after a rule match has been found will be ignored.
# This allows actions to be re-defined for different user groups, so matches
# so the command for an action can change for matches to the rules later on.
# 
# Any user or group NOT matched by an allow or a deny will be ALLOWED to
# perform the action by default (system administrators should be aware of
# this and implement whatever policies they see fit). Generally speaking
# a user of a workstation, desktop or laptop is intended to have such abilities
# to perform these actions, thus the default of allow. For multi-user systems
# the system administrator is considered capable enough to restrict what they
# see they need to.
# 
# A WARNING to admins: do NOT allow access for users to this system remotely
# UNLESS you fully trust them or you have locked down permissions to halt/reboot
# suspend etc. here first. You have been warned.
#
# FORMAT:
#
# action:   halt      /sbin/shutdown -h now
# action:   reboot    /sbin/shutdown -r now
# action:   suspend   /etc/acpi/sleep.sh force
# action:   hibernate /etc/acpi/hibernate.sh force
#
# user:  username  allow: halt reboot suspend hibernate
# group: groupname deny:  *
# group: *         deny:  *
# user:  *         allow: suspend
# user:  billy     allow: halt reboot
# group: staff     deny:  halt suspend hibernate
#
# etc.
#
# user and group name can use glob matches (* == all for example) like the
# shell. as can action names allowed or denied. 

action:   halt           /usr/bin/systemctl poweroff
action:   reboot         /usr/bin/systemctl reboot
action:   suspend        /usr/bin/systemctl suspend
action:   hibernate      /usr/bin/systemctl hibernate
action:   /bin/mount     /bin/mount
action:   /bin/umount    /bin/umount
action:   /usr/bin/eject /usr/bin/eject
action:   l2ping         /usr/bin/l2ping

# root is allowed to do anything - but it needs to be here explicitly anyway
user:     root      allow: *
# members of operator, staff and admin groups should be able to do all
group:    operator  allow: *
group:    staff     allow: *
group:    admin     allow: *
group:    sys       allow: *
group:    wheel     allow: *
group:    adm       allow: *
# common "user" groups for "console users" on desktops/laptops
group:    dialout   allow: *
group:    disk      allow: *
group:    adm       allow: *
group:    cdrom     allow: *
group:    floppy    allow: *
group:    audio     allow: *
group:    dip       allow: *
group:    plugdev   allow: *
group:    netdev    allow: *
group:    bluetooth allow: *
group:    video     allow: *
group:    voice     allow: *
group:    fax       allow: *
group:    tty       allow: *
# put in a list of other users and groups here that are allowed or denied etc.
# e.g.
# user:     myuser     allow:  *
# user:     another    allow:  suspend hibernate
#
#
# uncomment this line to enable eeze mounting for users
# user:   someuser allow: /bin/mount /bin/umount /usr/bin/eject
#
#
# deny everyone else by default
user:     *         deny:  *