Alpine Linux - User contributions [en]

Polkit

2025-11-09T02:38:50Z

JakeCubes: Changed seatd's auth agent incompatibility note to a warning.

[https://polkit.pages.freedesktop.org/polkit/polkit.8.html Polkit] is an authorization manager which is used for allowing unprivileged processes to speak to privileged processes through some form of inter-process communication mechanism like [[D-Bus]].

== Prerequisites ==

* Install and configure [[D-Bus#Installation|D-Bus]].

== Installation ==

For graphical applications, polkit relies on [[Elogind|elogind]] or [[Seatd]] to determine the identity of the user making a request. To use the full features of polkit, [[#Using polkit with elogind|using polkit with elogind]] is recommended.

=== Using polkit with elogind ===

For a feature-rich [[Desktop environments and Window managers|desktop]] experience, use polkit with [[Elogind|elogind]]. Features like [[#Authentication agents|authentication agents]] can be used only with elogind. Install the {{Pkg|polkit-elogind}} package and enable the {{ic|polkit}} service using [[OpenRC]].

{{Cmd|<nowiki># apk add polkit-elogind
# rc-update add polkit
# rc-service polkit start </nowiki>}}

Proceed to configure [[Elogind|elogind]], if not done already.

=== Using polkit with seatd ===

For a minimal desktop like [[Sway]], polkit can be used with [[Seatd#Polkit|seatd with certain limitations]]. With Seatd, polkit rules can only evaluate group membership, resulting in a 'yes' or 'no' decision. Graphical, session aware [[#Authentication agents|authentication agents]] are not supported.

To proceed to use polkit with seatd, install the {{Pkg|polkit}} package and enable the {{ic|polkit}} service using [[OpenRC]]: {{Cmd|<nowiki># apk add polkit
# rc-update add polkit
# rc-service polkit start </nowiki>}}

== Authentication agents ==

Polkit authentication agent integration helps coordinate the display of a password prompt to the active and local users.
When an unprivileged user attempts to access a privileged location (such as by typing admin:// in the address bar of a [[File_management#File_managers|File Manager]]), when the appropriate polkit policy requires administrative authentication, a password dialogue will typically appear.

{{Warning|Authentication agents will work only when [[#Using polkit with elogind|polkit is used with elogind]].}}
{{Warning|Authentication agents won't work unless [[PAM]] is properly set up.}}

Some of the authentication agents available in Alpine linux is listed below:

* {{Pkg|xfce-polkit}}
* {{pkg|mate-polkit}}
* {{pkg|polkit-gnome}}
* {{pkg|polkit-kde-agent}}
For [[Xfce]], install {{Pkg|xfce-polkit}} as follows:{{Cmd|# apk add {{Pkg|xfce-polkit}}}}

== Polkit rule files ==

The following example rule files have been provided to show the limitations of [[#Using polkit with seatd|seatd]].

Ensure that correct permissions are set for the rule files. For example, for the rule file {{Path|/etc/polkit-1/rules.d/50-udisks.rules}}:{{Cmd|<nowiki># chown root:root /etc/polkit-1/rules.d/50-udisks.rules
# chmod 644 /etc/polkit-1/rules.d/50-udisks.rules</nowiki>}}

=== Example1 ===

A sample polkit rule file {{Path|/etc/polkit-1/rules.d/50-udisks.rules}} which allow [[File_management#Automounting_removable_storage|automatic mounting of removable storage]] based on being a member of '''disk''' or '''storage''' group. This rule depends only on group membership which works with seatd: {{cat|/etc/polkit-1/rules.d/50-udisks.rules|<nowiki>
polkit.addRule(function(action, subject) {
if (subject.isInGroup("disk") || subject.isInGroup("storage")) &&
(action.id == "org.freedesktop.udisks2.filesystem-mount" ||
action.id == "org.freedesktop.udisks2.filesystem-mount-system" ||
action.id == "org.freedesktop.udisks2.filesystem-unmount-others" ||
action.id == "org.freedesktop.udisks2.drive-eject" ||
action.id == "org.freedesktop.udisks2.encrypted-unlock" ||
action.id == "org.freedesktop.udisks2.power-off-drive")) {
return polkit.Result.YES; //
}
});
</nowiki>}}

The above polkit rule file is fully supported when used with both [[#Using polkit with seatd|seatd]] and [[#Using polkit with elogind|Elogind]].

=== Example2 ===

[[elogind|Elogind]] is required for "subject.active" rules and no AUTH_ADMIN, since polkit agents need POLKIT_IS_SUBJECT. Given below is a sample polkit rule file {{Path|/etc/polkit-1/rules.d/51-require-active-session.rules}} which allow only active local sessions to suspend:{{Cat|/etc/polkit-1/rules.d/51-require-active-session.rules|<nowiki>
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.login1.suspend" &&
subject.active) {
return polkit.Result.YES;
} else if (action.id == "org.freedesktop.login1.suspend") {
return polkit.Result.NO; // Or polkit.Result.AUTH_ADMIN to prompt for password
}
});
</nowiki>}}

The above rule file depends on ''subject.active'' which is supported only when [[#Using polkit with elogind|polkit is used with Elogind]].

== See also ==
* [https://polkit.pages.freedesktop.org/polkit/polkit.8.html polkit Architecture]
* [https://github.com/polkit-org/polkit polkit github page]
* [https://wiki.archlinux.org/title/Polkit Arch wiki Polkit page]
* [https://wiki.archlinux.org/title/Running_GUI_applications_as_root Arch wiki Running GUI applications as root]

[[Category:Authentication]]

PAM

2025-11-09T02:31:26Z

JakeCubes:

To use PAM, the {{Pkg|linux-pam}} package itself must be installed as well as something for logging into the system that supports PAM. The <code>login</code> bundled with <code>busybox</code> does not support PAM. Instead, one of the following may be used:

* [[greetd]] plus any greeter
* <code>login(1)</code> provided by {{Pkg|shadow-login}}
* <code>login(1)</code> provided by {{Pkg|util-linux-login}}

{{warning|Login without PAM will still be possible. See {{issue|11730}}}}
{{warning|Polkit authentication agents tend to have issues running without PAM.}}

== ulimit ==

<code>ulimit</code> permissions can be changed via <code>/etc/security/limits.conf</code>. These will only apply if a PAM-compatible tool is used for logging in (as indicated above).

== See also ==

* [https://wiki.gentoo.org/wiki/PAM PAM on the Gentoo Wiki]
* [https://wiki.archlinux.org/title/PAM PAM on the ArchLinux Wiki]

[[Category:Authentication]]

Polkit

2025-11-09T02:30:09Z

JakeCubes: /* Authentication agents */

[https://polkit.pages.freedesktop.org/polkit/polkit.8.html Polkit] is an authorization manager which is used for allowing unprivileged processes to speak to privileged processes through some form of inter-process communication mechanism like [[D-Bus]].

== Prerequisites ==

* Install and configure [[D-Bus#Installation|D-Bus]].

== Installation ==

For graphical applications, polkit relies on [[Elogind|elogind]] or [[Seatd]] to determine the identity of the user making a request. To use the full features of polkit, [[#Using polkit with elogind|using polkit with elogind]] is recommended.

=== Using polkit with elogind ===

For a feature-rich [[Desktop environments and Window managers|desktop]] experience, use polkit with [[Elogind|elogind]]. Features like [[#Authentication agents|authentication agents]] can be used only with elogind. Install the {{Pkg|polkit-elogind}} package and enable the {{ic|polkit}} service using [[OpenRC]].

{{Cmd|<nowiki># apk add polkit-elogind
# rc-update add polkit
# rc-service polkit start </nowiki>}}

Proceed to configure [[Elogind|elogind]], if not done already.

=== Using polkit with seatd ===

For a minimal desktop like [[Sway]], polkit can be used with [[Seatd#Polkit|seatd with certain limitations]]. With Seatd, polkit rules can only evaluate group membership, resulting in a 'yes' or 'no' decision. Graphical, session aware [[#Authentication agents|authentication agents]] are not supported.

To proceed to use polkit with seatd, install the {{Pkg|polkit}} package and enable the {{ic|polkit}} service using [[OpenRC]]: {{Cmd|<nowiki># apk add polkit
# rc-update add polkit
# rc-service polkit start </nowiki>}}

== Authentication agents ==

Polkit authentication agent integration helps coordinate the display of a password prompt to the active and local users.
When an unprivileged user attempts to access a privileged location (such as by typing admin:// in the address bar of a [[File_management#File_managers|File Manager]]), when the appropriate polkit policy requires administrative authentication, a password dialogue will typically appear.

{{Note|Authentication agents will work only when [[#Using polkit with elogind|polkit is used with elogind]].}}
{{Warning|Authentication agents won't work unless [[PAM]] is properly set up.}}

Some of the authentication agents available in Alpine linux is listed below:

* {{Pkg|xfce-polkit}}
* {{pkg|mate-polkit}}
* {{pkg|polkit-gnome}}
* {{pkg|polkit-kde-agent}}
For [[Xfce]], install {{Pkg|xfce-polkit}} as follows:{{Cmd|# apk add {{Pkg|xfce-polkit}}}}

== Polkit rule files ==

The following example rule files have been provided to show the limitations of [[#Using polkit with seatd|seatd]].

Ensure that correct permissions are set for the rule files. For example, for the rule file {{Path|/etc/polkit-1/rules.d/50-udisks.rules}}:{{Cmd|<nowiki># chown root:root /etc/polkit-1/rules.d/50-udisks.rules
# chmod 644 /etc/polkit-1/rules.d/50-udisks.rules</nowiki>}}

=== Example1 ===

A sample polkit rule file {{Path|/etc/polkit-1/rules.d/50-udisks.rules}} which allow [[File_management#Automounting_removable_storage|automatic mounting of removable storage]] based on being a member of '''disk''' or '''storage''' group. This rule depends only on group membership which works with seatd: {{cat|/etc/polkit-1/rules.d/50-udisks.rules|<nowiki>
polkit.addRule(function(action, subject) {
if (subject.isInGroup("disk") || subject.isInGroup("storage")) &&
(action.id == "org.freedesktop.udisks2.filesystem-mount" ||
action.id == "org.freedesktop.udisks2.filesystem-mount-system" ||
action.id == "org.freedesktop.udisks2.filesystem-unmount-others" ||
action.id == "org.freedesktop.udisks2.drive-eject" ||
action.id == "org.freedesktop.udisks2.encrypted-unlock" ||
action.id == "org.freedesktop.udisks2.power-off-drive")) {
return polkit.Result.YES; //
}
});
</nowiki>}}

The above polkit rule file is fully supported when used with both [[#Using polkit with seatd|seatd]] and [[#Using polkit with elogind|Elogind]].

=== Example2 ===

[[elogind|Elogind]] is required for "subject.active" rules and no AUTH_ADMIN, since polkit agents need POLKIT_IS_SUBJECT. Given below is a sample polkit rule file {{Path|/etc/polkit-1/rules.d/51-require-active-session.rules}} which allow only active local sessions to suspend:{{Cat|/etc/polkit-1/rules.d/51-require-active-session.rules|<nowiki>
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.login1.suspend" &&
subject.active) {
return polkit.Result.YES;
} else if (action.id == "org.freedesktop.login1.suspend") {
return polkit.Result.NO; // Or polkit.Result.AUTH_ADMIN to prompt for password
}
});
</nowiki>}}

The above rule file depends on ''subject.active'' which is supported only when [[#Using polkit with elogind|polkit is used with Elogind]].

== See also ==
* [https://polkit.pages.freedesktop.org/polkit/polkit.8.html polkit Architecture]
* [https://github.com/polkit-org/polkit polkit github page]
* [https://wiki.archlinux.org/title/Polkit Arch wiki Polkit page]
* [https://wiki.archlinux.org/title/Running_GUI_applications_as_root Arch wiki Running GUI applications as root]

[[Category:Authentication]]

PAM

2025-11-09T02:26:31Z

JakeCubes: Polkit authentication agents such as polkit-gnome won't run without PAM, and this isn't mentioned anywhere in the wiki that I could find, so, to avoid others the trouble of reading through 7 different forums, I've decided it's a good idea to add this warning.

To use PAM, the {{Pkg|linux-pam}} package itself must be installed as well as something for logging into the system that supports PAM. The <code>login</code> bundled with <code>busybox</code> does not support PAM. Instead, one of the following may be used:

* [[greetd]] plus any greeter
* <code>login(1)</code> provided by {{Pkg|shadow-login}}
* <code>login(1)</code> provided by {{Pkg|util-linux-login}}

{{warning|Login without PAM will still be possible. See {{issue|11730}}}}
{{warning|Polkit authentication agents tend to have issues if PAM isn't properly set up.}}

== ulimit ==

<code>ulimit</code> permissions can be changed via <code>/etc/security/limits.conf</code>. These will only apply if a PAM-compatible tool is used for logging in (as indicated above).

== See also ==

* [https://wiki.gentoo.org/wiki/PAM PAM on the Gentoo Wiki]
* [https://wiki.archlinux.org/title/PAM PAM on the ArchLinux Wiki]

[[Category:Authentication]]