Polkit: Difference between revisions
Prabuanand (talk | contribs) (moved headings and rephrased sentence) |
Prabuanand (talk | contribs) m (rephrased sentence) |
||
| Line 10: | Line 10: | ||
== Using polkit with elogind == | == Using polkit with elogind == | ||
For a feature-rich [[Desktop environments and Window managers|desktop ]] experience, polkit | For a feature-rich [[Desktop environments and Window managers|desktop]] experience, use polkit with [[Elogind|elogind]]. Features like [[#Authentication agents|authentication agents]] can be used only with elogind. Install the {{Pkg|polkit-elogind}} package and enable the {{ic|polkit}} service using [[OpenRC]]. | ||
{{Cmd|<nowiki># apk add polkit-elogind | {{Cmd|<nowiki># apk add polkit-elogind | ||
| Line 20: | Line 20: | ||
== Using polkit with seatd == | == Using polkit with seatd == | ||
For a minimal [[Desktop environments and Window managers|desktop]], polkit can be used with [[Seatd#Polkit|seatd with certain limitations]]. With Seatd, polkit rules can only evaluate group membership, resulting in a 'yes' or 'no' decision. | |||
To proceed to use polkit with seatd, install the {{Pkg|polkit}} package and enable the {{ic|polkit}} service using [[OpenRC]]: {{Cmd|<nowiki># apk add polkit | To proceed to use polkit with seatd, install the {{Pkg|polkit}} package and enable the {{ic|polkit}} service using [[OpenRC]]: {{Cmd|<nowiki># apk add polkit | ||
Revision as of 09:35, 25 July 2025
Polkit is an authorization manager which is used for allowing unprivileged processes to speak to privileged processes through some form of inter-process communication mechanism like D-Bus.
Prerequisites
- Install and configure D-Bus.
- For graphical applications, polkit relies on elogind or Seatd to determine the identity of the user making a request.
Using polkit with elogind
For a feature-rich desktop experience, use polkit with elogind. Features like authentication agents can be used only with elogind. Install the polkit-elogind package and enable the polkit service using OpenRC.
# apk add polkit-elogind # rc-update add polkit # rc-service polkit start
Proceed to configure elogind, if not done already.
Using polkit with seatd
For a minimal desktop, polkit can be used with seatd with certain limitations. With Seatd, polkit rules can only evaluate group membership, resulting in a 'yes' or 'no' decision.
To proceed to use polkit with seatd, install the polkit package and enable the polkit service using OpenRC:
# apk add polkit # rc-update add polkit # rc-service polkit start
Authentication agents
Polkit authentication agent integration (for auth_self and auth_admin policies) helps coordinate the display of a password prompt to the active and local users.
For example, when an unprivileged user attempts to access a privileged location (such as by typing admin:// in the address bar of a File Manager) and a Polkit policy requires administrative authentication, a password dialogue will typically appear.
Polkit rule files
The following example rule files have been provided to show the limitations of seatd.
Example1
A sample polkit rule file /etc/polkit-1/rules.d/50-udisks.rules which allow automatic mounting of removable storage based on being a member of disk or storage group. This rule depends only on group membership which works with seatd:
Contents of /etc/polkit-1/rules.d/50-udisks.rules
The above polkit rule file is fully supported when used with both seatd and Elogind.
Example2
Elogind is required for "subject.active" rules and no AUTH_ADMIN, since polkit agents need POLKIT_IS_SUBJECT. Given below is a sample polkit rule file /etc/polkit-1/rules.d/51-require-active-session.rules which allow only active local sessions to suspend based on subject.active which requires Elogind can be as follows:
Contents of /etc/polkit-1/rules.d/51-require-active-session.rules
The above polkit rule file is supported only when used with Elogind