Polkit: Difference between revisions

Revision as of 04:00, 25 May 2025

Polkit is an authorization manager which is used for allowing unprivileged processes to speak to privileged processes through some form of inter-process communication mechanism like D-Bus.

Prerequisites

Install and configure D-Bus to use polkit.
Polkit relies on elogind or Seatd to determine the identity of the user making a request, which is crucial for authentication and authorization.

Tip: To use full features of polkit, using polkit with elogind is recommended.

Using polkit with elogind

polkit is mandatory for elogind as it depends on it for authentication. Install the polkit-elogind package and enable the polkit service using OpenRC.

# apk add polkit-elogind # rc-update add polkit # rc-service polkit start

Proceed to congigure elogind, if not done already.

Using polkit with seatd

polkit can be used for authentication with seatd, if you use only groups in the polkit rules. With seatd, you are also restricted to YES or NO rules.

Install the polkit package and enable the polkit service using OpenRC:

# apk add polkit # rc-update add polkit # rc-service polkit start

Proceed to congigure seatd, if not done already.

Polkit rule files

The following example rule files have been provided to show the limitations of seatd.

Example1

A sample polkit rule file /etc/polkit-1/rules.d/50-my-custom-rules.rules which allow members of the "wheel" group to reboot without a password. This rule depends only on group membership which works with seatd can be as follows:

Contents of /etc/polkit-1/rules.d/50-my-custom-rules.rules

    
    polkit.addRule(function(action, subject) {
        if (action.id == "org.freedesktop.login1.reboot" &&
            subject.isInGroup("wheel")) {
            return polkit.Result.YES;
        }
    });

The above polkit rule file is supported when used with both seatd and Elogind.

Example2

Elogind is required for "subject.active" rules and no AUTH_ADMIN, since polkit agents need POLKIT_IS_SUBJECT. Given below is a sample polkit rule file /etc/polkit-1/rules.d/51-require-active-session.rules which allow only active local sessions to suspend based on subject.active which requires Elogind can be as follows:

Contents of /etc/polkit-1/rules.d/51-require-active-session.rules

 
    polkit.addRule(function(action, subject) {
        if (action.id == "org.freedesktop.login1.suspend" &&
            subject.active) {
            return polkit.Result.YES;
        } else if (action.id == "org.freedesktop.login1.suspend") {
            return polkit.Result.NO; // Or polkit.Result.AUTH_ADMIN to prompt for password
        }
    });

The above polkit rule file is supported only when used with Elogind

@@ Line 4: / Line 4: @@
 * Install and configure [[D-Bus#Installation|D-Bus]] to use polkit.
+* Polkit relies on [[Elogind|elogind]] or [[Seatd]] to determine the identity of the user making a request, which is crucial for authentication and authorization.
-== Polkit and elogind ==
+{{Tip|To use full features of polkit, [[#Using polkit with elogind|using polkit with elogind]] is recommended.}}
-{{pkg|polkit}} is used for authentication by [[Elogind|elogind]]. Without polkit some things may not function. Install the {{Pkg|polkit-elogind}} package and enable the {{ic|polkit}} service using [[OpenRC]].
+== Using polkit with elogind ==
+{{pkg|polkit}} is mandatory for [[Elogind|elogind]] as it depends on it for authentication. Install the {{Pkg|polkit-elogind}} package and enable the {{ic|polkit}} service using [[OpenRC]].
 {{Cmd|<nowiki># apk add polkit-elogind
@@ Line 13: / Line 16: @@
 # rc-service polkit start </nowiki>}}
-== Polkit and seatd ==
+Proceed to congigure [[Elogind|elogind]], if not done already.
-{{pkg|polkit}} can be used for authentication with [[Seatd|seatd]], if you use groups in the polkit rules. With seatd you are restricted to YES or NO rules.
+== Using polkit with seatd ==
+{{pkg|polkit}} can be used for authentication with [[Seatd|seatd]], if you use only groups in the polkit rules. With seatd, you are also restricted to YES or NO rules.
 Install the {{Pkg|polkit}} package and enable the {{ic|polkit}} service using [[OpenRC]]: {{Cmd|<nowiki># apk add polkit
 # rc-update add polkit
 # rc-service polkit start </nowiki>}}
+Proceed to congigure [[Seatd|seatd]], if not done already.
+== Polkit rule files ==
+The following example rule files have been provided to show the limitations of [[#Using polkit with seatd|seatd]].
+=== Example1 ===
 A sample polkit rule file {{Path|/etc/polkit-1/rules.d/50-my-custom-rules.rules}} which allow members of the "wheel" group to reboot without a password. This rule depends only on group membership which works with seatd can be as follows:{{Cat|/etc/polkit-1/rules.d/50-my-custom-rules.rules|<nowiki>
@@ Line 29: / Line 42: @@
      });
 </nowiki>}}
+The above polkit rule file is supported when used with both [[#Using polkit with seatd|seatd]] and [[#Using polkit with elogind|Elogind]].
+=== Example2 ===
 [[elogind|Elogind]] is required for "subject.active" rules and no AUTH_ADMIN, since polkit agents need POLKIT_IS_SUBJECT. Given below is a sample polkit rule file {{Path|/etc/polkit-1/rules.d/51-require-active-session.rules}} which allow only active local sessions to suspend based on subject.active which requires [[Elogind]] can be as follows:{{Cat|/etc/polkit-1/rules.d/51-require-active-session.rules|<nowiki>
@@ Line 40: / Line 57: @@
      });
 </nowiki>}}
+The above polkit rule file is supported only when used with [[#Using polkit with elogind|Elogind]]
 == See also ==
 * [https://polkit.pages.freedesktop.org/polkit/polkit.8.html polkit Architecture]
+* [https://github.com/polkit-org/polkit polkit github page]
 * [https://wiki.archlinux.org/title/Polkit  Arch wiki Polkit page]
-* [https://github.com/polkit-org/polkit polkit github page]
 * [https://wiki.archlinux.org/title/Running_GUI_applications_as_root Arch wiki Running GUI applications as root]
 [[Category:Security]]