Polkit: Difference between revisions

Latest revision as of 04:40, 2 September 2025

Polkit is an authorization manager which is used for allowing unprivileged processes to speak to privileged processes through some form of inter-process communication mechanism like D-Bus.

Prerequisites

Install and configure D-Bus.

Installation

For graphical applications, polkit relies on elogind or Seatd to determine the identity of the user making a request. To use the full features of polkit, using polkit with elogind is recommended.

Using polkit with elogind

For a feature-rich desktop experience, use polkit with elogind. Features like authentication agents can be used only with elogind. Install the polkit-elogind package and enable the polkit service using OpenRC.

# apk add polkit-elogind # rc-update add polkit # rc-service polkit start

Proceed to configure elogind, if not done already.

Using polkit with seatd

For a minimal desktop like Sway, polkit can be used with seatd with certain limitations. With Seatd, polkit rules can only evaluate group membership, resulting in a 'yes' or 'no' decision. Graphical, session aware authentication agents are not supported.

To proceed to use polkit with seatd, install the polkit package and enable the polkit service using OpenRC:

# apk add polkit # rc-update add polkit # rc-service polkit start

Authentication agents

Polkit authentication agent integration helps coordinate the display of a password prompt to the active and local users. When an unprivileged user attempts to access a privileged location (such as by typing admin:// in the address bar of a File Manager), when the appropriate polkit policy requires administrative authentication, a password dialogue will typically appear.

Note: Authentication agents will work only when polkit is used with elogind.

Some of the authentication agents available in Alpine linux is listed below:

For Xfce, install xfce-polkit as follows:

# apk add xfce-polkit

Polkit rule files

The following example rule files have been provided to show the limitations of seatd.

Ensure that correct permissions are set for the rule files. For example, for the rule file /etc/polkit-1/rules.d/50-udisks.rules:

# chown root:root /etc/polkit-1/rules.d/50-udisks.rules # chmod 644 /etc/polkit-1/rules.d/50-udisks.rules

Example1

A sample polkit rule file /etc/polkit-1/rules.d/50-udisks.rules which allow automatic mounting of removable storage based on being a member of disk or storage group. This rule depends only on group membership which works with seatd:

Contents of /etc/polkit-1/rules.d/50-udisks.rules

polkit.addRule(function(action, subject) {
    if (subject.isInGroup("disk") || subject.isInGroup("storage")) &&
        (action.id == "org.freedesktop.udisks2.filesystem-mount" ||
         action.id == "org.freedesktop.udisks2.filesystem-mount-system" ||
	action.id == "org.freedesktop.udisks2.filesystem-unmount-others" ||  
         action.id == "org.freedesktop.udisks2.drive-eject" ||
         action.id == "org.freedesktop.udisks2.encrypted-unlock" ||
         action.id == "org.freedesktop.udisks2.power-off-drive")) {
        return polkit.Result.YES; // 
    }
});

The above polkit rule file is fully supported when used with both seatd and Elogind.

Example2

Elogind is required for "subject.active" rules and no AUTH_ADMIN, since polkit agents need POLKIT_IS_SUBJECT. Given below is a sample polkit rule file /etc/polkit-1/rules.d/51-require-active-session.rules which allow only active local sessions to suspend:

Contents of /etc/polkit-1/rules.d/51-require-active-session.rules

 
    polkit.addRule(function(action, subject) {
        if (action.id == "org.freedesktop.login1.suspend" &&
            subject.active) {
            return polkit.Result.YES;
        } else if (action.id == "org.freedesktop.login1.suspend") {
            return polkit.Result.NO; // Or polkit.Result.AUTH_ADMIN to prompt for password
        }
    });

The above rule file depends on subject.active which is supported only when polkit is used with Elogind.

@@ Line 4: / Line 4: @@
 * Install and configure [[D-Bus#Installation|D-Bus]].
-* For graphical applications, polkit relies on [[Elogind|elogind]] or [[Seatd]] to determine the identity of the user making a request.
-{{Tip|To use full features of polkit, [[#Using polkit with elogind|using polkit with elogind]] is recommended.}}
+== Installation ==
-== Using polkit with elogind ==
+For graphical applications, polkit relies on [[Elogind|elogind]] or [[Seatd]] to determine the identity of the user making a request. To use the full features of polkit, [[#Using polkit with elogind|using polkit with elogind]] is recommended.
-Polkit is mandatory for [[Elogind|elogind]], as it is needed for authentication. The full features of polkit can be used only with elogind. Install the {{Pkg|polkit-elogind}} package and enable the {{ic|polkit}} service using [[OpenRC]].
+=== Using polkit with elogind ===
+For a feature-rich [[Desktop environments and Window managers|desktop]] experience, use polkit with [[Elogind|elogind]]. Features like [[#Authentication agents|authentication agents]] can be used only with elogind. Install the {{Pkg|polkit-elogind}} package and enable the {{ic|polkit}} service using [[OpenRC]].
 {{Cmd|<nowiki># apk add polkit-elogind
@@ Line 18: / Line 19: @@
 Proceed to configure [[Elogind|elogind]], if not done already.
-== Using polkit with seatd ==
+=== Using polkit with seatd ===
-Polkit can be used for authentication with [[Seatd|seatd]] with certain limitations.
+For a minimal desktop like [[Sway]], polkit can be used with [[Seatd#Polkit|seatd with certain limitations]]. With Seatd, polkit rules can only evaluate group membership, resulting in a 'yes' or 'no' decision. Graphical, session aware [[#Authentication agents|authentication agents]] are not supported.
-With Seatd, polkit rules can only evaluate group membership, resulting in a 'yes' or 'no' decision. Since seatd doesn't provide detailed session tracking, polkit rules that rely on these properties (e.g., subject.active, subject.local) cannot be evaluated. Polkit authentication agent integration (for auth_self and auth_admin policies), which helps coordinate the display of a password prompt to the active and local users, is also not supported.
 To proceed to use polkit with seatd, install the {{Pkg|polkit}} package and enable the {{ic|polkit}} service using [[OpenRC]]: {{Cmd|<nowiki># apk add polkit
@@ Line 28: / Line 27: @@
 # rc-service polkit start </nowiki>}}
-Proceed to configure [[Seatd|seatd]], if not done already.
+== Authentication agents ==
+Polkit authentication agent integration helps coordinate the display of a password prompt to the active and local users.
+When an unprivileged user attempts to access a privileged location (such as by typing admin:// in the address bar of a [[File_management#File_managers|File Manager]]), when the appropriate polkit policy requires administrative authentication, a password dialogue will typically appear.
+{{Note|Authentication agents will work only when [[#Using polkit with elogind|polkit is used with elogind]].}}
+Some of the authentication agents available in Alpine linux is listed below:
+* {{Pkg|xfce-polkit}}
+* {{pkg|mate-polkit}}
+* {{pkg|polkit-gnome}}
+* {{pkg|polkit-kde-agent}}
+For [[Xfce]], install {{Pkg|xfce-polkit}} as follows:{{Cmd|# apk add {{Pkg|xfce-polkit}}}}
 == Polkit rule files ==
 The following example rule files have been provided to show the limitations of [[#Using polkit with seatd|seatd]].
+Ensure that correct permissions are set for the rule files. For example, for the rule file {{Path|/etc/polkit-1/rules.d/50-udisks.rules}}:{{Cmd|<nowiki># chown root:root /etc/polkit-1/rules.d/50-udisks.rules
+# chmod 644 /etc/polkit-1/rules.d/50-udisks.rules</nowiki>}}
 === Example1 ===
+A sample polkit rule file {{Path|/etc/polkit-1/rules.d/50-udisks.rules}} which allow [[File_management#Automounting_removable_storage|automatic mounting of removable storage]] based on being a member of '''disk''' or '''storage''' group. This rule depends only on group membership which works with seatd: {{cat|/etc/polkit-1/rules.d/50-udisks.rules|<nowiki>
-A sample polkit rule file {{Path|/etc/polkit-1/rules.d/50-udisks.rules}} which allow using udisk commands as long as they are member of '''disk''' or '''storage''' group. This rule depends only on group membership which works with seatd: {{cat|/etc/polkit-1/rules.d/50-udisks.rules|<nowiki>
 polkit.addRule(function(action, subject) {
      if (subject.isInGroup("disk") || subject.isInGroup("storage")) &&
@@ Line 55: / Line 69: @@
 === Example2 ===
-[[elogind|Elogind]] is required for "subject.active" rules and no AUTH_ADMIN, since polkit agents need POLKIT_IS_SUBJECT. Given below is a sample polkit rule file {{Path|/etc/polkit-1/rules.d/51-require-active-session.rules}} which allow only active local sessions to suspend based on subject.active which requires [[Elogind]] can be as follows:{{Cat|/etc/polkit-1/rules.d/51-require-active-session.rules|<nowiki>
+[[elogind|Elogind]] is required for "subject.active" rules and no AUTH_ADMIN, since polkit agents need POLKIT_IS_SUBJECT. Given below is a sample polkit rule file {{Path|/etc/polkit-1/rules.d/51-require-active-session.rules}} which allow only active local sessions to suspend:{{Cat|/etc/polkit-1/rules.d/51-require-active-session.rules|<nowiki>
      polkit.addRule(function(action, subject) {
          if (action.id == "org.freedesktop.login1.suspend" &&
@@ Line 66: / Line 80: @@
 </nowiki>}}
-The above polkit rule file is supported only when used with [[#Using polkit with elogind|Elogind]]
+The above rule file depends on ''subject.active'' which is supported only when [[#Using polkit with elogind|polkit is used with Elogind]].
 == See also ==
 * [https://polkit.pages.freedesktop.org/polkit/polkit.8.html polkit Architecture]
 * [https://github.com/polkit-org/polkit polkit github page]
@@ Line 75: / Line 88: @@
 * [https://wiki.archlinux.org/title/Running_GUI_applications_as_root Arch wiki Running GUI applications as root]
-[[Category:Security]]
+[[Category:Authentication]]