Polkit

Resources

polkit (formerly PolicyKit) is Article description::an authorization API intended to be used by privileged programs (e.g. system daemons) offering services to unprivileged programs.

Description

Privileged programs (in the following called daemons) with polkit support offload the decision as to whether a program is allowed to use some function of the daemon. The daemon keeps an incoming request on hold, asks polkit if the program is authorized, and then allows or denies the request based on polkit's return. The requesting program is not aware of polkit and so needs no polkit support itself. The communication is handled over D-Bus.

Daemons come with polkit action files, which offer some function and define who is authorized. This can be any user, either the active or inactive user. Also they can specify that the user needs to authenticate by entering a password as himself or as admin. These actions do not grant root permission to an entire process, but rather allows a finer level of control of centralized system policy.

The authorization defaults defined by the action files can be refined by rules files. Here you can define who's admin (root or any user in a special group) and add special handling for an action.

Installation

Note
When updating, refer to the polkit upgrade subpage.

Prerequisites

Polkit uses D-Bus, so set it up first.

Also, make sure you set CONFIG_FUTEX=y in the kernel. Without this option selected, the polkitd process may generate high CPU.

USE flags

Portage knows the global policykit USE flag for enabling support for polkit in other packages. Enabling this USE flag will pull in sys-auth/polkit automatically (default for desktop profiles):

FILE /etc/portage/make.conf

<syntaxhighlight lang="bash">USE="policykit"</syntaxhighlight>

The USE flags of sys-auth/polkit are:

USE flags for sys-auth/polkit Policy framework for controlling privileges for system-wide services

`elogind`	Use sys-auth/elogind for session tracking
`examples`	Install examples, usually source code
`gtk`	Add support for x11-libs/gtk+ (The GIMP Toolkit)
`introspection`	Add support for GObject based introspection
`jit`	Enable just-in-time compilation for improved performance. May prevent use of some PaX memory protection features in Gentoo Hardened.
`kde`	Add support for software made by KDE, a free software community
`nls`	Add Native Language Support (using gettextGNU locale utilities)
`pam`	Add support for PAM (Pluggable Authentication Modules)DANGEROUS to arbitrarily flip
`selinux`	!!internal use only!! Security Enhanced Linux support, this must be set by the selinux profile or breakage will occur
`systemd`	Use sys-apps/systemd for session tracking
`test`	Enable dependencies and/or preparations necessary to run tests (usually controlled by FEATURES=test but can be toggled independently)

Data provided by the Gentoo Package Database · Last update: 2020-12-28 17:35 More information about USE flags

After setting this you want to update your system so the changes take effect:

root #emerge --ask --changed-use --deep @world

Depending on above USE flag settings, either elogind or systemd need to be configured.

Configuration

The actions files are in /usr/share/polkit-1/actions, the rules files are in /usr/share/polkit-1/rules.d and /etc/polkit-1/rules.d.

Rules

Rules redefine who's authorized for an action. The rules files begin with a number and are processed in lexical order. The first file with a matching rule is used. Own files should have a low number, like 10. The filenames have the .rules suffix.

For example, to let the users of the wheel group also perform functions as administrators, create the following file:

FILE /etc/polkit-1/rules.d/10-admin.rules

<syntaxhighlight lang="javascript">polkit.addAdminRule(function(action, subject) {
    return ["unix-group:wheel"];
});</syntaxhighlight>

To allow user larry to mount disks, create the following file:

FILE /etc/polkit-1/rules.d/10-udisks.rules

<syntaxhighlight lang="javascript">polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.udisks2.filesystem-mount" &&
        subject.user == "larry") {
        return polkit.Result.YES;
    }
});</syntaxhighlight>

See man polkit for more information.

Usage

Show all available actions:

user $pkaction

Show details about the given action:

user $pkaction --verbose --action-id ACTION

List all temporary authorizations for the current session:

user $pkcheck --list-temp

Runs the given program with the user rights of the given user:

user $pkexec --user USER PROGRAM

For more information see the man pages, e.g. for pkaction: man pkaction

Troubleshooting

Gentoo bugtracker: known bugs
Polkit communicates over D-Bus, so also see the D-Bus "Troubleshooting" section.
How to switch polkit from spidermonkey to duktape

This article is issued from Gentoo. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.