lockdown-repartitioning.page 2.92 KB
Newer Older
1
2
3
4
5
6
7
8
<page xmlns="http://projectmallard.org/1.0/"
      xmlns:its="http://www.w3.org/2005/11/its"
      type="topic" style="task"
      id="lockdown-repartitioning">

  <info>
    <link type="guide" xref="user-settings#lockdown"/>
    <link type="seealso" xref="dconf-lockdown" />
Kat's avatar
Kat committed
9
    <revision pkgversion="3.14" date="2014-12-10" status="review"/>
10
11
12

    <credit type="author copyright">
      <name>Jana Svarova</name>
13
      <email>jana.svarova@gmail.com</email>
14
15
      <years>2014</years>
    </credit>
Kat's avatar
Kat committed
16
17
    <credit type="copyright editor">
      <name>Ekaterina Gerasimova</name>
18
      <email>kittykat3756@gmail.com</email>
Kat's avatar
Kat committed
19
20
      <years>2014</years>
    </credit>
21
22
23

    <include href="legal.xml" xmlns="http://www.w3.org/2001/XInclude"/>

Kat's avatar
Kat committed
24
    <desc>Prevent the user from changing disk partitions.</desc>
25
26
  </info>

Kat's avatar
Kat committed
27
  <title>Disable repartitioning</title>
28
29
30
31
32
33
34
35
36

  <p><sys>polkit</sys> enables you to set permissions for individual
  operations. For <sys>udisks2</sys>, the utility for disk management services,
  the configuration is located at
  <file>/usr/share/polkit-1/actions/org.freedesktop.udisks2.policy</file>. This
  file contains a set of actions and default values, which can be overridden by
  system administrator.</p>

  <note style="tip">
Kat's avatar
Kat committed
37
38
    <p>The <sys>polkit</sys> configuration in <file>/etc</file> overrides that
    shipped by packages in <file>/usr/share</file>.</p>
39
40
41
  </note>

  <steps>
Kat's avatar
Kat committed
42
    <title>Disable repartitioning</title>
43
44
    <item>
      <p>Create a file with the same content as in
Kat's avatar
Kat committed
45
46
      <file>/usr/share/polkit-1/actions/org.freedesktop.udisks2.policy</file>:
      <cmd>cp /usr/share/polkit-1/actions/org.freedesktop.udisks2.policy /etc/share/polkit-1/actions/org.freedesktop.udisks2.policy</cmd></p>
47
48
49
50
51
52
53
54
55
56
57
      <note style="important">
        <p>Do not change the
        <file>/usr/share/polkit-1/actions/org.freedesktop.udisks2.policy</file>
        file, your changes will be overwritten by the next package update.</p>
      </note>
    </item>
    <item>
      <p>Delete any actions you do not need from within the
      <code>policyconfig</code> element and add the following lines to the
      <file>/etc/polkit-1/actions/org.freedesktop.udisks2.policy</file>
      file:</p>
Kat's avatar
Kat committed
58
59
      <listing>
<code><![CDATA[
60
  <action id="org.freedesktop.udisks2.modify-device">
61
62
     <description>Modify the drive settings</description>
     <message>Authentication is required to modify drive settings</message>
63
64
65
66
67
    <defaults>
      <allow_any>no</allow_any>
      <allow_inactive>no</allow_inactive>
      <allow_active>yes</allow_active>
    </defaults>
68
</action>
Kat's avatar
Kat committed
69
70
]]></code>
      </listing>
71
72
73
74
75
76
77
78
      <p>Replace <code>no</code> by <code>auth_admin</code> if you want to
      ensure only the root user is able to carry out the action.</p>
    </item>
    <item>
      <p>Save the changes.</p>
    </item>
  </steps>

Kat's avatar
Kat committed
79
  <p>When the user tries to change the disk settings, the following message is
80
  shown: <gui>Authentication is required to modify drive settings</gui>.</p>
81
82

</page>