Commit 14264e58 authored by Jana Svarova's avatar Jana Svarova Committed by David King
Browse files

Add a sysadmin page on locking down repartioning

https://bugzilla.gnome.org/show_bug.cgi?id=735675
parent 06e796eb
<page xmlns="http://projectmallard.org/1.0/"
xmlns:its="http://www.w3.org/2005/11/its"
type="topic" style="task"
id="lockdown-repartitioning">
<info>
<link type="guide" xref="user-settings#lockdown"/>
<revision pkgversion="3.14" date="2014-11-25" status="draft"/>
<link type="seealso" xref="dconf-lockdown" />
<credit type="author copyright">
<name>Jana Svarova</name>
<email its:translate="no">jana.svarova@gmail.com</email>
<years>2014</years>
</credit>
<include href="legal.xml" xmlns="http://www.w3.org/2001/XInclude"/>
<desc>Prevent users from changing disk partitions.</desc>
</info>
<title>Lock down repartitioning</title>
<p><sys>polkit</sys> enables you to set permissions for individual
operations. For <sys>udisks2</sys>, the utility for disk management services,
the configuration is located at
<file>/usr/share/polkit-1/actions/org.freedesktop.udisks2.policy</file>. This
file contains a set of actions and default values, which can be overridden by
system administrator.</p>
<note style="tip">
<p>Remember that <sys>polkit</sys> configuration in <file>/etc</file>
overrides that shipped by packages in <file>/usr/share</file>.</p>
</note>
<steps>
<title>To prevent users from changing disks settings:</title>
<item>
<p>Create a file with the same content as in
<file>/usr/share/polkit-1/actions/org.freedesktop.udisks2.policy</file>.</p>
<code>cp /usr/share/polkit-1/actions/org.freedesktop.udisks2.policy /etc/share/polkit-1/actions/org.freedesktop.udisks2.policy</code>
<note style="important">
<p>Do not change the
<file>/usr/share/polkit-1/actions/org.freedesktop.udisks2.policy</file>
file, your changes will be overwritten by the next package update.</p>
</note>
</item>
<item>
<p>Delete any actions you do not need from within the
<code>policyconfig</code> element and add the following lines to the
<file>/etc/polkit-1/actions/org.freedesktop.udisks2.policy</file>
file:</p>
<screen><![CDATA[
<action id="org.freedesktop.udisks2.modify-device">
<description>Modify the disks settings</description>
<message>Authentication is required to modify the disks settings</message>
<defaults>
<allow_any>no</allow_any>
<allow_inactive>no</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
</action>
]]></screen>
<p>Replace <code>no</code> by <code>auth_admin</code> if you want to
ensure only the root user is able to carry out the action.</p>
</item>
<item>
<p>Save the changes.</p>
</item>
</steps>
<p>When the user tries to change the disks settings, the following message is
presented:</p>
<code>Authentication is required to modify the disks settings</code>
</page>
......@@ -20,6 +20,7 @@ HELP_FILES = \
keyboard-layout.page \
legal.xml \
lockdown-command-line.page \
lockdown-repartioning.page \
login.page \
login-automatic.page \
login-banner.page \
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment