In particular there's no place for polkit or anything similar here.
I'd want things to be configured that way 'once and for all', meaning that a) I'm not really looking forward to having to do this for each and every device or command, and b) that a routine system update (a frequent enough event on an Arch system) must not be able to modify this policy.
I can't help with systemd but this is getting harder with initscripts even too on linux, but atleast it's almost guaranteed to be possible and easyish with scripted rc. Do you have polkit installed as you may want to make sure it isn't or remove it's rights, letting it error may pollute your logs but may also prevent any potential timeouts from dependent or expectant packages.
From reading the avaiable docs I'm not convinced this will be possible, in particular since the docs concerning logind are rather incomplete (where are those ACLs defined for example). And 'ping Lennart if you need more info' as suggested, is not really a sustainable solution IMHO.
I approached the polkit dev with similar concerns asking how I can be sure what rights are granted and giving a blatant example of the inadequate documentation. He picked out the parts of my email suggesting OTHERS were wondering about RedHats motives (being mainly a support company now) for the difficulty of configuration and insulted me. In my opinion, he picked that part as an insult to him because he knew his software was for software devs rather than users or admins and I had raised difficult problems he didn't want to answer and which only applied to a small proportion of users. This situation is silly as a default security stance is by definition overly permissive and all security software should be completely transparent in it's permission granting to be taken seriously. Your task should be simple and final but unfortunately I have to wish you good luck. -- _______________________________________________________________________ 'Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface' (Doug McIlroy) _______________________________________________________________________