{"id":3826,"date":"2022-12-20T17:20:11","date_gmt":"2022-12-20T20:20:11","guid":{"rendered":"http:\/\/lode.uno\/linux-man\/index.php\/2022\/12\/20\/polkit-man8\/"},"modified":"2022-12-20T17:20:11","modified_gmt":"2022-12-20T20:20:11","slug":"polkit-man8","status":"publish","type":"post","link":"https:\/\/lode.uno\/linux-man\/2022\/12\/20\/polkit-man8\/","title":{"rendered":"POLKIT (man8)"},"content":{"rendered":"

POLKIT<\/h1>\n

NAME<\/a>
OVERVIEW<\/a>
SYSTEM ARCHITECTURE<\/a>
AUTHENTICATION AGENTS<\/a>
DECLARING ACTIONS<\/a>
AUTHORIZATION RULES<\/a>
AUTHOR<\/a>
BUGS<\/a>
SEE ALSO<\/a>
NOTES<\/a> <\/p>\n

\n

NAME <\/a> <\/h2>\n

polkit \u2212 Authorization Manager<\/p>\n

OVERVIEW <\/a> <\/h2>\n

polkit provides an authorization API intended to be used by privileged programs (\u201cMECHANISMS\u201d) offering service to unprivileged programs (\u201cSUBJECTS\u201d) often through some form of inter\u2212process communication mechanism. In this scenario, the mechanism typically treats the subject as untrusted. For every request from a subject, the mechanism needs to determine if the request is authorized or if it should refuse to service the subject. Using the polkit APIs, a mechanism can offload this decision to a trusted party: The polkit authority.<\/p>\n

The polkit authority is implemented as an system daemon, polkitd<\/b>(8), which itself has little privilege as it is running as the polkitd<\/i> system user. Mechanisms, subjects and authentication agents communicate with the authority using the system message bus.<\/p>\n

In addition to acting as an authority, polkit allows users to obtain temporary authorization through authenticating either an administrative user or the owner of the session the client belongs to. This is useful for scenarios where a mechanism needs to verify that the operator of the system really is the user or really is an administrative user.<\/p>\n

SYSTEM ARCHITECTURE <\/a> <\/h2>\n

The system architecture of polkit is comprised of the Authority<\/i> (implemented as a service on the system message bus) and an Authentication Agent<\/i> per user session (provided and started by the user’s graphical environment). Actions<\/i> are defined by applications. Vendors, sites and system administrators can control authorization policy through Authorization Rules<\/i>.<\/p>\n

[IMAGE] [1]<\/small><\/p>\n

+\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212+
| Authentication |
| Agent |
+\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212+
| libpolkit\u2212agent\u22121 |
+\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212+
^ +\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212+
| | Subject |
+\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212+ +\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212+
| ^
| |
User Session | |
=======================|========================|=============
System Context | |
| |
| +\u2212\u2212\u2212+
V |
\/\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212 |
| System Bus | |
\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\/ |
^ ^ V
| | +\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212+
+\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212+ | | Mechanism |
| | +\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212+
V +\u2212\u2212\u2212\u2212> | libpolkit\u2212gobject\u22121 |
+\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212+ +\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212+
| polkitd(8) |
+\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212+
| org.freedesktop. |
| PolicyKit1 |<\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212+
+\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212+ |
^ |
| +\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212+
| | \/usr\/share\/polkit\u22121\/actions\/*.policy |
| +\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212+
|
+\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212+
| \/etc\/polkit\u22121\/rules.d\/*.rules |
| \/usr\/share\/polkit\u22121\/rules.d\/*.rules |
+\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212+<\/p>\n

For convenience, the libpolkit\u2212gobject\u22121 library wraps the polkit D\u2212Bus API and is usable from any C\/C++ program as well as higher\u2212level languages supporting GObjectIntrospection<\/font><\/b> [2]<\/font><\/small> such as Javascript and Python. A mechanism can also use the D\u2212Bus API or the pkcheck<\/b>(1) command to check authorizations. The libpolkit\u2212agent\u22121 library provides an abstraction of the native authentication system, e.g. pam<\/b>(8) and also facilities registration and communication with the polkit D\u2212Bus service.<\/font><\/p>\n

See the<\/font> developer documentation<\/font><\/b> [3]<\/font><\/small> for more information about writing polkit applications.<\/font><\/p>\n

AUTHENTICATION AGENTS <\/a> <\/h2>\n

An authentication agent is used to make the user of a session prove that the user of the session really is the user (by authenticating as the user) or an administrative user (by authenticating as a administrator). In order to integrate well with the rest of the user session (e.g. match the look and feel), authentication agents are meant to be provided by the user session that the user uses. For example, an authentication agent may look like this:<\/font><\/p>\n

[IMAGE] [4]<\/small><\/font><\/p>\n

+\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212+
| |
| [Icon] Authentication required |
| |
| Authentication is required to format INTEL |
| SSDSA2MH080G1GC (\/dev\/sda) |
| |
| Administrator |
| |
| Password: [__________________________________] |
| |
| [Cancel] [Authenticate] |
+\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212+<\/font><\/p>\n

If the system is configured without a root<\/i> account it may prompt for a specific user designated as the administrative user:<\/font><\/p>\n

[IMAGE] [5]<\/small><\/font><\/p>\n

+\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212+
| |
| [Icon] Authentication required |
| |
| Authentication is required to format INTEL |
| SSDSA2MH080G1GC (\/dev\/sda) |
| |
| [Icon] David Zeuthen |
| |
| Password: [__________________________________] |
| |
| [Cancel] [Authenticate] |
+\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212\u2212+<\/font><\/p>\n

Applications that do not run under a desktop environment (for example, if launched from a ssh<\/b>(1) login) may not have have an authentication agent associated with them. Such applications may use the PolkitAgentTextListener type or the pkttyagent<\/b>(1) helper so the user can authenticate using a textual interface.<\/font><\/p>\n

DECLARING ACTIONS <\/a> <\/h2>\n

A mechanism need to declare a set of actions<\/i> in order to use polkit. Actions correspond to operations that clients can request the mechanism to carry out and are defined in XML files that the mechanism installs into the \/usr\/share\/polkit\u22121\/actions directory.<\/font><\/p>\n

polkit actions are namespaced and can only contain the characters [A\u2212Z][a\u2212z][0\u22129].\u2212 e.g. ASCII, digits, period and hyphen. Each XML file can contain more than one action but all actions need to be in the same namespace and the file needs to be named after the namespace and have the extension .policy.<\/font><\/p>\n

The XML file must have the following doctype declaration<\/font><\/p>\n


“http:\/\/www.freedesktop.org\/software\/polkit\/policyconfig\u22121.dtd”><\/font><\/p>\n

The policyconfig<\/i> element must be present exactly once. Elements that can be used inside policyconfig<\/i> includes:<\/font><\/p>\n

vendor<\/i><\/font><\/p>\n

The name of the project or vendor that is supplying the actions in the XML document. Optional.<\/font><\/p>\n

vendor_url<\/i><\/font><\/p>\n

A URL to the project or vendor that is supplying the actions in the XML document. Optional.<\/font><\/p>\n

icon_name<\/i><\/font><\/p>\n

An icon representing the project or vendor that is supplying the actions in the XML document. The icon name must adhere to the<\/font> Freedesktop.org Icon Naming Specification<\/font><\/b> [6]<\/font><\/small> . Optional.<\/font><\/p>\n

action<\/i><\/font><\/p>\n

Declares an action. The action name is specified using the id attribute and can only contain the characters [A\u2212Z][a\u2212z][0\u22129].\u2212 e.g. ASCII, digits, period and hyphen.<\/font><\/p>\n

Elements that can be used inside action<\/i> include:<\/font><\/p>\n

description<\/i><\/font><\/p>\n

A human readable description of the action, e.g. \u201cInstall unsigned software\u201d.<\/font><\/p>\n

message<\/i><\/font><\/p>\n

A human readable message displayed to the user when asking for credentials when authentication is needed, e.g. \u201cInstalling unsigned software requires authentication\u201d.<\/font><\/p>\n

defaults<\/i><\/font><\/p>\n

This element is used to specify implicit authorizations for clients. Elements that can be used inside defaults<\/i> include:<\/font><\/p>\n

allow_any<\/i><\/font><\/p>\n

Implicit authorizations that apply to any client. Optional.<\/font><\/p>\n

allow_inactive<\/i><\/font><\/p>\n

Implicit authorizations that apply to clients in inactive sessions on local consoles. Optional.<\/font><\/p>\n

allow_active<\/i><\/font><\/p>\n

Implicit authorizations that apply to clients in active sessions on local consoles. Optional.<\/font><\/p>\n

Each of the allow_any<\/i>, allow_inactive<\/i> and allow_active<\/i> elements can contain the following values:<\/font><\/p>\n

no<\/font><\/p>\n

Not authorized.<\/font><\/p>\n

yes<\/font><\/p>\n

Authorized.<\/font><\/p>\n

auth_self<\/font><\/p>\n

Authentication by the owner of the session that the client originates from is required. Note that this is not restrictive enough for most uses on multi\u2212user systems; auth_admin* is generally recommended.<\/font><\/p>\n

auth_admin<\/font><\/p>\n

Authentication by an administrative user is required.<\/font><\/p>\n

auth_self_keep<\/font><\/p>\n

Like auth_self but the authorization is kept for a brief period (e.g. five minutes). The warning about auth_self above applies likewise.<\/font><\/p>\n

auth_admin_keep<\/font><\/p>\n

Like auth_admin but the authorization is kept for a brief period (e.g. five minutes).<\/font><\/p>\n

annotate<\/i><\/font><\/p>\n

Used for annotating an action with a key\/value pair. The key is specified using the the key attribute and the value is specified using the value attribute. This element may appear zero or more times. See below for known annotations.<\/font><\/p>\n

vendor<\/i><\/font><\/p>\n

Used for overriding the vendor on a per\u2212action basis. Optional.<\/font><\/p>\n

vendor_url<\/i><\/font><\/p>\n

Used for overriding the vendor URL on a per\u2212action basis. Optional.<\/font><\/p>\n

icon_name<\/i><\/font><\/p>\n

Used for overriding the icon name on a per\u2212action basis. Optional.<\/font><\/p>\n

For localization, description<\/i> and message<\/i> elements may occur multiple times with different xml:lang attributes.<\/font><\/p>\n

To list installed polkit actions, use the pkaction<\/b>(1) command.<\/font><\/p>\n

Known annotations<\/b>
The org.freedesktop.policykit.exec.path annotation is used by the pkexec<\/b> program shipped with polkit \u2212 see the pkexec<\/b>(1) man page for details.<\/font><\/p>\n

The org.freedesktop.policykit.imply annotation (its value is a string containing a space separated list of action identifiers) can be used to define meta actions<\/i>. The way it works is that if a subject is authorized for an action with this annotation, then it is also authorized for any action specified by the annotation. A typical use of this annotation is when defining an UI shell with a single lock button that should unlock multiple actions from distinct mechanisms.<\/font><\/p>\n

The org.freedesktop.policykit.owner annotation can be used to define a set of users who can query whether a client is authorized to perform this action. If this annotation is not specified then only root can query whether a client running as a different user is authorized for an action. The value of this annotation is a string containing a space separated list of PolkitIdentity entries, for example “unix\u2212user:42 unix\u2212user:colord”. A typical use of this annotation is for a daemon process that runs as a system user rather than root.<\/font><\/p>\n

AUTHORIZATION RULES <\/a> <\/h2>\n

polkitd<\/b> reads .rules files from the \/etc\/polkit\u22121\/rules.d and \/usr\/share\/polkit\u22121\/rules.d directories by sorting the files in lexical order based on the basename on each file (if there’s a tie, files in \/etc are processed before files in \/usr). For example, for the following four files, the order is<\/font><\/p>\n

\u2022 \/etc\/polkit\u22121\/rules.d\/10\u2212auth.rules<\/font><\/p>\n

\u2022 \/usr\/share\/polkit\u22121\/rules.d\/10\u2212auth.rules<\/font><\/p>\n

\u2022 \/etc\/polkit\u22121\/rules.d\/15\u2212auth.rules<\/font><\/p>\n

\u2022 \/usr\/share\/polkit\u22121\/rules.d\/20\u2212auth.rules<\/font><\/p>\n

Both directories are monitored so if a rules file is changed, added or removed, existing rules are purged and all files are read and processed again. Rules files are written in the<\/font> JavaScript<\/font><\/b> [7]<\/font><\/small> programming language and interface with polkitd<\/b> through the global polkit object (of type Polkit<\/b>).<\/font><\/p>\n

While the JavaScript interpreter used in particular versions of polkit may support non\u2212standard features (such as the let<\/i> keyword), authorization rules must conform to<\/font> ECMA\u2212262 edition 5<\/font><\/b> [8]<\/font><\/small> (in other words, the JavaScript interpreter used may change in future versions of polkit).<\/font><\/p>\n

Authorization rules are intended for two specific audiences<\/font><\/p>\n

\u2022 System Administrators<\/font><\/p>\n

\u2022 Special\u2212purpose Operating Systems \/ Environments<\/font><\/p>\n

and those audiences only. In particular, applications, mechanisms and general\u2212purpose operating systems must never include any authorization rules.<\/font><\/p>\n

The Polkit type<\/b>
The following methods are available on the polkit object:<\/font><\/p>\n\n\n\n\n\n
<\/td>\n\n

void addRule(polkit.Result\u00a0function(<\/b>action<\/i>,\u00a0<\/b>subject<\/i>)\u00a0{…});<\/b><\/font><\/p>\n<\/td>\n<\/tr>\n

<\/td>\n\n

void addAdminRule(string[]\u00a0function(<\/b>action<\/i>,\u00a0<\/b>subject<\/i>)\u00a0{…});<\/b><\/font><\/p>\n<\/td>\n<\/tr>\n

<\/td>\n\n

void log(string\u00a0<\/b>message<\/i>);<\/b><\/font><\/p>\n<\/td>\n<\/tr>\n

<\/td>\n\n

string spawn(string[]\u00a0<\/b>argv<\/i>);<\/b><\/font><\/p>\n<\/td>\n<\/tr>\n<\/table>\n

The addRule()<\/b> method is used for adding a function that may be called whenever an authorization check for action<\/i> and subject<\/i> is performed. Functions are called in the order they have been added until one of the functions returns a value. Hence, to add an authorization rule that is processed before other rules, put it in a file in \/etc\/polkit\u22121\/rules.d with a name that sorts before other rules files, for example 00\u2212early\u2212checks.rules. Each function should return a value from polkit.Result<\/font><\/p>\n

polkit.Result = {
NO : “no”,
YES : “yes”,
AUTH_SELF : “auth_self”,
AUTH_SELF_KEEP : “auth_self_keep”,
AUTH_ADMIN : “auth_admin”,
AUTH_ADMIN_KEEP : “auth_admin_keep”,
NOT_HANDLED : null
};<\/font><\/p>\n

corresponding to the values that can be used as defaults. If the function returns polkit.Result.NOT_HANDLED<\/b>, null<\/b>, undefined<\/b> or does not return a value at all, the next user function is tried.<\/font><\/p>\n

Keep in mind that if polkit.Result.AUTH_SELF_KEEP<\/b> or polkit.Result.AUTH_ADMIN_KEEP<\/b> is returned, authorization checks for the same action identifier and subject will succeed (that is, return polkit.Result.YES<\/b>) for the next brief period (e.g. five minutes) even<\/i> if the variables passed along with the check are different. Therefore, if the result of an authorization rule depend on such variables, it should not use the “*_KEEP”<\/b> constants (if similar functionality is required, the authorization rule can easily implement temporary authorizations using the<\/font> Date<\/font><\/b> [9]<\/font><\/small> type for timestamps).<\/font><\/p>\n

The addAdminRule()<\/b> method is used for adding a function may be called whenever administrator authentication is required. The function is used to specify what identies may be used for administrator authentication for the authorization check identified by action<\/i> and subject<\/i>. Functions added are called in the order they have been added until one of the functions returns a value. Each function should return an array of strings where each string is of the form “unix\u2212group:“, “unix\u2212netgroup:” or “unix\u2212user:“. If the function returns null<\/b>, undefined<\/b> or does not return a value at all, the next function is tried.<\/font><\/p>\n

There is no guarantee that a function registered with addRule()<\/b> or addAdminRule()<\/b> is ever called \u2212 for example an early rules file could register a function that always return a value, hence ensuring that functions added later are never called.<\/font><\/p>\n

If user\u2212provided code takes a long time to execute an exception will be thrown which normally results in the function being terminated (the current limit is 15 seconds). This is used to catch runaway scripts.<\/font><\/p>\n

The spawn()<\/b> method spawns an external helper identified by the argument vector argv<\/i> and waits for it to terminate. If an error occurs or the helper doesn’t exit normally with exit code 0, an exception is thrown. If the helper does not exit within 10 seconds it is killed. Otherwise, the program’s standard output<\/i> is returned as a string. The spawn()<\/b> method should be used sparingly as helpers may take a very long or indeterminate amount of time to complete and no other authorization check can be handled while the helper is running. Note that the spawned programs will run as the unprivileged polkitd<\/i> system user.<\/font><\/p>\n

The log()<\/b> method writes the given message<\/i> to the system logger prefixed with the JavaScript filename and line number. Log entries are emitted using the LOG_AUTHPRIV<\/b> flag meaning that the log entries usually ends up in the file \/var\/log\/secure. The log()<\/b> method is usually only used when debugging rules. The Action<\/b> and Subject<\/b> types has suitable toString()<\/b> methods defined for easy logging, for example,<\/font><\/p>\n

polkit.addRule(function(action, subject) {
if (action.id == “org.freedesktop.policykit.exec”) {
polkit.log(“action=” + action);
polkit.log(“subject=” + subject);
}
});<\/font><\/p>\n

will produce the following when the user runs ‘pkexec \u2212u bateman bash \u2212i’ from a shell:<\/font><\/p>\n

May 24 14:28:50 thinkpad polkitd[32217]: \/etc\/polkit\u22121\/rules.d\/10\u2212test.rules:3: action=[Action id=’org.freedesktop.policykit.exec’ command_line=’\/usr\/bin\/bash \u2212i’ program=’\/usr\/bin\/bash’ user=’bateman’ user.gecos=’Patrick Bateman’ user.display=’Patrick Bateman (bateman)’]
May 24 14:28:50 thinkpad polkitd[32217]: \/etc\/polkit\u22121\/rules.d\/10\u2212test.rules:4: subject=[Subject pid=1352 user=’davidz’ groups=davidz,wheel, seat=’seat0′ session=’1′ local=true active=true]<\/font><\/p>\n

The Action type<\/b><\/font><\/p>\n<\/table>\n

The action<\/i> parameter passed to user functions is an object with information about the action being checked. It is of type Action<\/b> and has the following attribute:<\/font><\/p>\n

string<\/b> id<\/font><\/p>\n

The action identifier, for example org.freedesktop.policykit.exec<\/i>.<\/font><\/p>\n

The following methods are available on the Action<\/b> type:<\/font><\/p>\n\n\n
<\/td>\n\n

string lookup(string\u00a0<\/b>key<\/i>);<\/b><\/font><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

The lookup()<\/b> method is used to lookup the polkit variables passed from the mechanism. For example, the pkexec<\/b>(1) mechanism sets the variable program<\/i> which can be obtained in Javascript using the expression action.lookup(“program”). If there is no value for the given key<\/i>, then undefined<\/b> is returned.<\/font><\/p>\n

Consult the documentation for each mechanism for what variables are available for each action.<\/font><\/p>\n

The Subject type<\/b><\/font><\/p>\n<\/table>\n

The subject<\/i> parameter passed to user functions is an object with information about the process being checked. It is of type Subject<\/b> and has the following attributes<\/font><\/p>\n

int<\/b> pid<\/font><\/p>\n

The process id.<\/font><\/p>\n

string<\/b> user<\/font><\/p>\n

The user name.<\/font><\/p>\n

string[]<\/b> groups<\/font><\/p>\n

Array of groups that user<\/i> user belongs to.<\/font><\/p>\n

string<\/b> seat<\/font><\/p>\n

The seat that the subject is associated with \u2212 blank if not on a local seat.<\/font><\/p>\n

string<\/b> session<\/font><\/p>\n

The session that the subject is associated with.<\/font><\/p>\n

boolean<\/b> local<\/font><\/p>\n

Set to true<\/b> only if seat is local.<\/font><\/p>\n

boolean<\/b> active<\/font><\/p>\n

Set to true<\/b> only if the session is active.<\/font><\/p>\n

The following methods are available on the Subject<\/b> type:<\/font><\/p>\n\n\n\n
<\/td>\n\n

boolean isInGroup(string\u00a0<\/b>groupName<\/i>);<\/b><\/font><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n
<\/td>\n\n

boolean isInNetGroup(string\u00a0<\/b>netGroupName<\/i>);<\/b><\/font><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

The isInGroup()<\/b> method can be used to check if the subject is in a given group and isInNetGroup()<\/b> can be used to check if the subject is in a given netgroup.<\/font><\/p>\n

Authorization Rules Examples<\/b><\/font><\/p>\n<\/table>\n

Allow all users in the admin group to perform user administration without changing policy for other users:<\/font><\/p>\n

polkit.addRule(function(action, subject) {
if (action.id == “org.freedesktop.accounts.user\u2212administration” &&
subject.isInGroup(“admin”)) {
return polkit.Result.YES;
}
});<\/font><\/p>\n

Define administrative users to be the users in the wheel group:<\/font><\/p>\n

polkit.addAdminRule(function(action, subject) {
return [“unix\u2212group:wheel”];
});<\/font><\/p>\n

Forbid users in group children to change hostname configuration (that is, any action with an identifier starting with org.freedesktop.hostname1.) and allow anyone else to do it after authenticating as themselves:<\/font><\/p>\n

polkit.addRule(function(action, subject) {
if (action.id.indexOf(“org.freedesktop.hostname1.”) == 0) {
if (subject.isInGroup(“children”)) {
return polkit.Result.NO;
} else {
return polkit.Result.AUTH_SELF_KEEP;
}
}
});<\/font><\/p>\n

Run an external helper to determine if the current user may reboot the system:<\/font><\/p>\n

polkit.addRule(function(action, subject) {
if (action.id.indexOf(“org.freedesktop.login1.reboot”) == 0) {
try {
\/\/ user\u2212may\u2212reboot exits with success (exit code 0)
\/\/ only if the passed username is authorized
polkit.spawn([“\/opt\/company\/bin\/user\u2212may\u2212reboot”,
subject.user]);
return polkit.Result.YES;
} catch (error) {
\/\/ Nope, but do allow admin authentication
return polkit.Result.AUTH_ADMIN;
}
}
});<\/font><\/p>\n

The following example shows how the authorization decision can depend on variables passed by the pkexec<\/b>(1) mechanism:<\/font><\/p>\n

polkit.addRule(function(action, subject) {
if (action.id == “org.freedesktop.policykit.exec” &&
action.lookup(“program”) == “\/usr\/bin\/cat”) {
return polkit.Result.AUTH_ADMIN;
}
});<\/font><\/p>\n

The following example shows another use of variables passed from the mechanism. In this case, the mechanism is<\/font> UDisks<\/font><\/b> [10]<\/font><\/small> which defines a set of<\/font> actions and variables<\/font><\/b> [11]<\/font><\/small> that is used to match on:<\/font><\/p>\n

\/\/ Allow users in group ‘engineers’ to perform any operation on
\/\/ some drives without having to authenticate
\/\/
polkit.addRule(function(action, subject) {
if (action.id.indexOf(“org.freedesktop.udisks2.”) == 0 &&
action.lookup(“drive.vendor”) == “SEAGATE” &&
action.lookup(“drive.model”) == “ST3300657SS” &&
subject.isInGroup(“engineers”)) {
return polkit.Result.YES;
}
}
});<\/font><\/p>\n

AUTHOR <\/a> <\/h2>\n

Written by David Zeuthen with a lot of help from many others.<\/font><\/p>\n

BUGS <\/a> <\/h2>\n

Please send bug reports to either the distribution or the polkit\u2212devel mailing list, see the link<\/font> http:\/\/lists.freedesktop.org\/mailman\/listinfo\/polkit-devel<\/font><\/b> on how to subscribe.<\/font><\/p>\n

SEE ALSO <\/a> <\/h2>\n

polkitd<\/b>(8), pkaction<\/b>(1), pkcheck<\/b>(1), pkexec<\/b>(1), pkttyagent<\/b>(1)<\/font><\/p>\n

NOTES <\/a> <\/h2>\n\n\n\n
<\/td>\n\n

1.<\/font><\/p>\n<\/td>\n

<\/td>\n\n

\/usr\/share\/gtk-doc\/html\/polkit-1\/polkit-architecture.png<\/font><\/p>\n<\/td>\n<\/tr>\n

<\/td>\n\n

2.<\/font><\/p>\n<\/td>\n

<\/td>\n\n

GObjectIntrospection<\/font><\/p>\n<\/td>\n<\/tr>\n<\/table>\n

https:\/\/live.gnome.org\/GObjectIntrospection<\/font><\/p>\n\n\n
<\/td>\n\n

3.<\/font><\/p>\n<\/td>\n

<\/td>\n\n

developer documentation<\/font><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

http:\/\/www.freedesktop.org\/software\/polkit\/docs\/latest\/<\/font><\/p>\n\n\n\n\n
<\/td>\n\n

4.<\/font><\/p>\n<\/td>\n

<\/td>\n\n

\/usr\/share\/gtk-doc\/html\/polkit-1\/polkit-authentication-agent-example.png<\/font><\/p>\n<\/td>\n<\/tr>\n

<\/td>\n\n

5.<\/font><\/p>\n<\/td>\n

<\/td>\n\n

\/usr\/share\/gtk-doc\/html\/polkit-1\/polkit-authentication-agent-example-wheel.png<\/font><\/p>\n<\/td>\n<\/tr>\n

<\/td>\n\n

6.<\/font><\/p>\n<\/td>\n

<\/td>\n\n

Freedesktop.org Icon Naming Specification<\/font><\/p>\n<\/td>\n<\/tr>\n<\/table>\n

http:\/\/standards.freedesktop.org\/icon-naming-spec\/icon-naming-spec-latest.html<\/font><\/p>\n\n\n
<\/td>\n\n

7.<\/font><\/p>\n<\/td>\n

<\/td>\n\n

JavaScript<\/font><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

http:\/\/en.wikipedia.org\/wiki\/JavaScript<\/font><\/p>\n\n\n
<\/td>\n\n

8.<\/font><\/p>\n<\/td>\n

<\/td>\n\n

ECMA-262 edition 5<\/font><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

http:\/\/en.wikipedia.org\/wiki\/ECMAScript#ECMAScript.2C_5th_Edition<\/font><\/p>\n\n\n
<\/td>\n\n

9.<\/font><\/p>\n<\/td>\n

<\/td>\n\n

Date<\/b><\/font><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

https:\/\/developer.mozilla.org\/en\/JavaScript\/Reference\/Global_Objects\/Date<\/font><\/p>\n\n\n
<\/td>\n\n

10.<\/font><\/p>\n<\/td>\n

<\/td>\n\n

UDisks<\/font><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

http:\/\/udisks.freedesktop.org\/docs\/latest\/udisks.8.html<\/font><\/p>\n\n\n
<\/td>\n\n

11.<\/font><\/p>\n<\/td>\n

<\/td>\n\n

actions and variables<\/font><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

http:\/\/udisks.freedesktop.org\/docs\/latest\/udisks-polkit-actions.html<\/font><\/p>\n

\n","protected":false},"excerpt":{"rendered":"

polkit \u2212 Authorization Manager <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[5,52,4,922],"class_list":["post-3826","post","type-post","status-publish","format-standard","hentry","category-8-administracion-del-sistema","tag-5","tag-administracion","tag-man8","tag-polkit"],"gutentor_comment":0,"_links":{"self":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts\/3826","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/comments?post=3826"}],"version-history":[{"count":0,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts\/3826\/revisions"}],"wp:attachment":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/media?parent=3826"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/categories?post=3826"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/tags?post=3826"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}