Skip to content

Instantly share code, notes, and snippets.

@schlomo

schlomo/guest-lockdown.pkla

Created February 7, 2015 19:04
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save schlomo/54e1844289fd563f35fb to your computer and use it in GitHub Desktop.
Save schlomo/54e1844289fd563f35fb to your computer and use it in GitHub Desktop.
Download ZIP
PolicyKit Local Authority policy to lockdown Ubuntu guest session from modifying the system. Should be installed into /var/lib/polkit-1/localauthority/90-mandatory.d or /etc/polkit-1/localauthority/90-mandatory.d
Raw
guest-lockdown.pkla
[Allow harmless stuff]
Identity=unix-user:guest-*
Action=org.freedesktop.color-manager.create-device;org.freedesktop.color-manager.create-profile;com.canonical.indicator.sound.AccountsService.ModifyOwnUser;org.freedesktop.accounts.change-own-user-data
ResultActive=yes
[Allow handling removable media]
Identity=unix-user:guest-*
Action=org.freedesktop.udisks2.filesystem-mount;org.freedesktop.udisks2.eject-media;org.freedesktop.udisks2.ata-standby;org.freedesktop.udisks2.power-off-drive;org.freedesktop.udisks2.modify-device;org.freedesktop.udisks2.cancel-job;org.freedesktop.udisks2.rescan;org.freedesktop.udisks2.encrypted-unlock;org.freedesktop.udisks2.encrypted-change-passphrase
ResultActive=yes
[Disallow any privileged actions]
Identity=unix-user:guest-*
Action=*
ResultActive=auth_admin
ResultInactive=no
ResultsAny=no
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment