From: Zbigniew Jędrzejewski-Szmek Date: Sun, 12 Apr 2020 17:14:20 +0000 (+0200) Subject: man: update description of polkit rules for systemd1 X-Git-Tag: v246-rc1~567^2~1 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ae53ea522600b1fc9a25347632299048f4f4c600;p=thirdparty%2Fsystemd.git man: update description of polkit rules for systemd1 Fixes #2562. v2: the erroneous part about CAP_SYS_ADMIN is removed --- diff --git a/man/org.freedesktop.systemd1.xml b/man/org.freedesktop.systemd1.xml index 1f0d1818caf..a3b86d3f1cb 100644 --- a/man/org.freedesktop.systemd1.xml +++ b/man/org.freedesktop.systemd1.xml @@ -242,14 +242,6 @@ node /org/freedesktop/systemd1 { }; - - Security - - Read access is generally granted to all clients, but changes may only be made by privileged - clients. PolicyKit is not used by this service, and access is controlled exclusively via the D-Bus - policy. - - Methods @@ -487,7 +479,6 @@ node /org/freedesktop/systemd1 { url="http://www.freedesktop.org/wiki/Software/systemd/ControlGroupInterface/">New Control Group Interface for more information how to make use of this functionality for resource control purposes. - @@ -620,6 +611,26 @@ node /org/freedesktop/systemd1 { appended to /sys/fs/cgroup/systemd easily. This value will be set to the empty string for the host instance, and some other string for container instances + + + Security + + Read access is generally granted to all clients. Additionally, for unprivileged clients, some + operations are allowed through the PolicyKit privilege system. Operations which modify unit state + (StartUnit(), StopUnit(), KillUnit(), + RestartUnit() and similar, SetProperty) require + org.freedesktop.systemd1.manage-units. Operations which modify unit file + enablement state (EnableUnitFiles(), DisableUnitFiles(), + ReenableUnitFiles(), LinkUnitFiles(), + PresetUnitFiles, MaskUnitFiles, and similar) require + org.freedesktop.systemd1.manage-unit-files). Operations which modify the + exported environment ( SetEnvironment(), UnsetEnvironment(), + UnsetAndSetEnvironment()) require + org.freedesktop.systemd1.set-environment. Reload() + and Reexecute() require + org.freedesktop.systemd1.reload-daemon. + + @@ -886,7 +897,7 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice { Conditions contains all configured conditions of the unit. For each condition five fields are given: condition type (e.g. ConditionPathExists), whether the condition is a trigger condition, whether the condition is reversed, the right hand side of the - condtion (e.g. the path in case of ConditionPathExists), and the status. The status + condition (e.g. the path in case of ConditionPathExists), and the status. The status can be 0, in which case the condition hasn't been checked yet, a positive value, in which case the condition passed, or a negative value, in which case the condition failed. Currently only 0, +1, and -1 are used, but additional values may be used in the future, retaining the meaning of @@ -900,6 +911,16 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice { Transient contains a boolean that indicates whether the unit was created as transient unit (i.e. via CreateTransientUnit() on the manager object) + + + Security + + Similarly to methods on the Manager object, read-only access is + allowed for everyone. All operations are allowed for clients with the + CAP_SYS_ADMIN capability or when the + org.freedesktop.systemd1.manage-units privilege is granted by + PolicyKit. +