pklalockdown.xml 4.36 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136
<?xml version="1.0"?>
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
               "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd" [
<!ENTITY version SYSTEM "../version.xml">
]>
<refentry id="pklalockdown.1" xmlns:xi="http://www.w3.org/2003/XInclude">
  <refentryinfo>
    <title>pklalockdown</title>
    <date>May 2009</date>
    <productname>polkit</productname>
  </refentryinfo>

  <refmeta>
    <refentrytitle>pklalockdown</refentrytitle>
    <manvolnum>1</manvolnum>
    <refmiscinfo class="version"></refmiscinfo>
  </refmeta>

  <refnamediv>
    <refname>pklalockdown</refname>
    <refpurpose>Configure lockdown for the Local Authority</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <cmdsynopsis>
      <command>pklalockdown</command>
      <arg><option>--version</option></arg>
      <arg><option>--help</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>pklalockdown</command>
      <arg choice="plain">
        <option>--lockdown</option>
        <replaceable>action</replaceable>
      </arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>pklalockdown</command>
      <arg choice="plain">
        <option>--remove-lockdown</option>
        <replaceable>action</replaceable>
      </arg>
    </cmdsynopsis>

  </refsynopsisdiv>

  <refsect1 id="pklalockdown-description">
    <title>DESCRIPTION</title>
    <para>
      <command>pklalockdown</command> is used to configure lockdown
      for the Local Authority.
    </para>
    <para>
      The effect of locking down an action is that administrator
      authentication is always needed in order for subjects to acquire
      the authorization for the action in question (and the subject
      has to be in an active session on a local console). The obtained
      authorization is temporary and as such typically expires five
      minutes after being obtained.
    </para>
    <para>
      To lock down <replaceable>action</replaceable> use the <option>--lockdown</option> option.
      To remove a lockdown for <replaceable>action</replaceable> use the <option>--remove-lockdown</option> option.
    </para>
  </refsect1>

  <refsect1 id="pklalockdown-required-auhtz">
    <title>REQUIRED AUTHORIZATIONS</title>
    <para>
      The <emphasis>org.freedesktop.policykit.localauthority.lockdown</emphasis>
      authorization is needed to add or remove lockdown. By default,
      this authorization requires administrator authentication and
      cannot be retained.
    </para>
  </refsect1>

  <refsect1 id="pklalockdown-impl-details">
    <title>IMPLEMENTATION DETAILS</title>
    <para>
      Lockdown is implemented through <filename>.pkla</filename>
      files. Locked down actions supersede other most other Local
      Authority configuration as the <filename>.pkla</filename> files
      are placed
      in <filename>/var/lib/polkit-1/localauthority90-mandatory.d</filename>.
    <para>
    </para>
      Programs checking authorizations can check whether an action is
      locked down via by checking
      the <emphasis>polkit.localauthority.lockdown</emphasis> key/value pair in
      the details of the authorization response.
    </para>
  </refsect1>

  <refsect1 id="pklalockdown-return-values">
    <title>RETURN VALUE</title>
    <para>
      On success <command>pklalockdown</command> returns 0. Otherwise a
      non-zero value is returned and a diagnostic message is printed
      on standard error.
    </para>
  </refsect1>

  <refsect1 id="pklalockdown-author"><title>AUTHOR</title>
    <para>
      Written by David Zeuthen <email>davidz@redhat.com</email> with
      a lot of help from many others.
    </para>
  </refsect1>

  <refsect1 id="pklalockdown-bugs">
    <title>BUGS</title>
    <para>
      Please send bug reports to either the distribution or the
      polkit-devel mailing list,
      see the link <ulink url="http://lists.freedesktop.org/mailman/listinfo/polkit-devel"/>
      on how to subscribe.
    </para>
  </refsect1>

  <refsect1 id="pklalockdown-see-also">
    <title>SEE ALSO</title>
    <para>
      <citerefentry>
        <refentrytitle>polkit</refentrytitle><manvolnum>8</manvolnum>
      </citerefentry>,
      <citerefentry>
        <refentrytitle>pkcheck</refentrytitle><manvolnum>1</manvolnum>
      </citerefentry>,
      <citerefentry>
        <refentrytitle>pklocalauthority</refentrytitle><manvolnum>8</manvolnum>
      </citerefentry>
    </para>
  </refsect1>
</refentry>