polkit
polkit (formerly PolicyKit) is an authorization API intended to be used by privileged programs (e.g. system daemons) offering service to unprivileged programs.
Contents |
Description
Privileged programs (in the following called daemons) with polkit support offload the decision, if a program is allowed to use some function of the daemon. The daemon keeps an incoming request on hold, ask polkit, if the program is authorized, and then allows or denies the request based on polkit's return. The requesting program is not aware of polkit and so need no polkit support itself. The communication is handled over D-Bus.
Daemons come with polkit action files, which offer some function and define, who is authorized. This can be any user, the active or inactive user. Also they can define, that the user needs to authenticate by entering a password as himself or as admin. The actions does not grant root permission to an entire process, but rather allows a finer level of control of centralized system policy.
The authorization defaults in the action files can be refined by rules files. Here you can define, who's admin (root or any user in a special group), and add special handling for an action.
Installation
Prerequisites
Polkit uses D-Bus and ConsoleKit, so set them up first.
Software
Portage knows the global USE flag policykit for enabling support for polkit in other packages. Enabling this USE flag will pull in sys-auth/polkit automatically (default for desktop profiles):
USE="... policykit ..."
The USE flags of policykit are:
| USE flag | Default | Recommended | Description |
|---|---|---|---|
| examples | No | Install examples, usually source code | |
| gtk | Yes | Adds support for x11-libs/gtk+ (The GIMP Toolkit) | |
| introspection | Yes | Use dev-libs/gobject-introspection for introspection | |
| kde | Yes | Adds support for KDE (K Desktop Environment) | |
| nls | Yes | Adds Native Language Support (using gettext - GNU locale utilities) | |
| pam | Yes | Adds support for PAM (Pluggable Authentication Modules) - DANGEROUS to arbitrarily flip | |
| selinux | No | !!internal use only!! Security Enhanced Linux support, this must be set by the selinux profile or breakage will occur | |
| systemd | No | Use sys-apps/systemd instead of sys-auth/consolekit for session tracking |
After setting this you want to update your system so the changes take effect:
root # emerge --ask --changed-use --deep @worldConfiguration
The actions file are in /usr/share/polkit-1/actions, the rules files are in /usr/share/polkit-1/rules.d and /etc/polkit-1/rules.d.
Rules
Rules redefine, who's authorized for an action. The rules files begin with a number and are processed in lexical order. The first file with a matching rule is used. Own files should have a low number, like 10. The filenames have the .rules suffix.
To e.g. let also the users of the "wheel" group be functions as administrators, create the following file:
polkit.addAdminRule(function(action, subject) {
return ["unix-group:wheel"];
});
To e.g. allow user "larry" to mount internal disks, create the following file:
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.udisks.filesystem-mount-system-internal" &&
subject.user == "larry" {
return "yes";
}
});
See the polkit man page for more information.
KDE
If you installed KDE with the policykit USE flag, there are systemsettings modules in the "System Administration" section:
- Actions Policy: Rules configuration.
- Global Policy Configuration: Administrator configuration.
Usage
- Show all available actions:
-
user $pkaction
- Show details about the given action:
-
user $pkaction --verbose --action-id ACTION
- List all temporary authorizations for the current session:
-
user $pkcheck --list-temp
- Runs the given program with the user rights of the given user:
-
user $pkexec --user USER PROGRAM
For more information see the man pages, e.g. for pkaction: man pkaction
Troubleshooting
- Gentoo bugtracker: known bugs
- Polkit communicates over D-Bus, so also see the D-Bus "Troubleshooting" section.
