polkit

Table of content

General

Also known as policykit

Maybe you have seen polkit authentications already during your daily work e.g.:

Wihle you want to execute systemctl restart <servicename> or want to execute run0

==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ====
Authentication is required to manage system services or other units.
Authenticating as: root
Password:
==== AUTHENTICATION COMPLETE ====

Or also often seen when you want to restart your system, but your account is not permitted to reach that target.

Creating rules for polkit

To create custom rules, you have to create files beneath /etc/polkit-1/rules.d. The files have to apply to the following structure: [0-9]{2}<rulename>.rules

Keep in mind, that the policies are exetued as they are sorted, meaning the rule starting with 00 are executed before 99 rule.

The polkit rule files are wirtten in javescript

Lets have a look how such a file could look like:

for personal users

polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.policykit.exec" &&
        subject.user == "<USERNAME>" &&
        action.lookup("command") == "/path/to/command") {
        return polkit.Result.YES;
    }
});

for groups

polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.policykit.exec" &&
        subject.isInGroup("<USERNAME>") &&
        action.lookup("command") == "/path/to/command") {
        return polkit.Result.YES;
    }
});

After you have created your custom rule, don’t forget about restarting the service:

$ systemctl restart polkit.service

Display polkit permissions

To display your permissions used by polkit you can use the command pkaction. This will show you the details about certion actions.

For example for executing commands using run0.

$ pkaction -v --action-id=org.freedesktop.policykit.exec
org.freedesktop.policykit.exec:
  description:       Run a program as another user
  message:           Authentication is required to run a program as another user
  vendor:            The polkit project
  vendor_url:        http://www.freedesktop.org/wiki/Software/polkit/
  icon:
  implicit any:      auth_admin
  implicit inactive: auth_admin
  implicit active:   auth_admin

And to see all permissions which are applying to your user, run the command pkaction -v

If you see instead of auth_admin the text auth_admin_keep it means that there will be no active authentication dialog shown and you will be able to authenticate without inserting the pwd.

pkexec

Allows you to run a command as a different user, as long as your user is permitted to do so, kind of sudo does.

For differences between sudo and polkit please have a look into the manpages of polkit and there executeables.

pkcheck

pkcheck allows you to validate a process authentication.

Could not place someples as it gave me some strange output.

Always when I tried to query from a exec action if it is authenticated or not using e.g. pkcheck -a org.freedesktop.policykit.exec -p <pid> -u it displayed me on my run0 terminal again the pwd authentication which did not let me re-auth and the full run0 process got stuck.

As soon I got this working, I will post it.