Polkit

polkit (formerly PolicyKit) is an authorization API intended to be used by privileged programs (e.g. system daemons) offering services to unprivileged programs.

Description
Privileged programs (in the following called daemons) with polkit support offload the decision as to whether a program is allowed to use some function of the daemon. The daemon keeps an incoming request on hold, asks polkit if the program is authorized, and then allows or denies the request based on polkit's return. The requesting program is not aware of polkit and so needs no polkit support itself. The communication is handled over D-Bus.

Daemons come with polkit action files, which offer some function and define who is authorized. This can be any user, either the active or inactive user. Also they can specify that the user needs to authenticate by entering a password as himself or as admin. These actions do not grant root permission to an entire process, but rather allows a finer level of control of centralized system policy.

The authorization defaults defined by the action files can be refined by rules files. Here you can define who's admin (root or any user in a special group) and add special handling for an action.

Prerequisites
Polkit uses D-Bus and ConsoleKit, so set them up first.

Also, make sure you set CONFIG_FUTEX=y in your kernel. Without this option selected, the polkitd process may generate high CPU.

Software
Portage knows the global  USE flag for enabling support for polkit in other packages. Enabling this USE flag will pull in automatically (default for desktop profiles):

The USE flags of sys-auth/polkit are:

After setting this you want to update your system so the changes take effect:

Configuration
The actions files are in, the rules files are in and.

Rules
Rules redefine who's authorized for an action. The rules files begin with a number and are processed in lexical order. The first file with a matching rule is used. Own files should have a low number, like 10. The filenames have the suffix.

For example, to let the users of the "wheel" group also perform functions as administrators, create the following file:

To allow user "larry" to mount disks, create the following file:

See the polkit man page for more information.

Usage
Show all available actions:

Show details about the given action:

List all temporary authorizations for the current session:

Runs the given program with the user rights of the given user:

For more information see the man pages, e.g. for pkaction: man pkaction

Troubleshooting

 * Polkit communicates over D-Bus, so also see the D-Bus "Troubleshooting" section.
 * Polkit communicates over D-Bus, so also see the D-Bus "Troubleshooting" section.