Polkit: Difference between revisions
Prabuanand (talk | contribs) m (rephrased sentence) |
Prabuanand (talk | contribs) m (reworded sentence) |
||
| Line 56: | Line 56: | ||
=== Example2 === | === Example2 === | ||
[[elogind|Elogind]] is required for "subject.active" rules and no AUTH_ADMIN, since polkit agents need POLKIT_IS_SUBJECT. Given below is a sample polkit rule file {{Path|/etc/polkit-1/rules.d/51-require-active-session.rules}} which allow only active local sessions to suspend | [[elogind|Elogind]] is required for "subject.active" rules and no AUTH_ADMIN, since polkit agents need POLKIT_IS_SUBJECT. Given below is a sample polkit rule file {{Path|/etc/polkit-1/rules.d/51-require-active-session.rules}} which allow only active local sessions to suspend:{{Cat|/etc/polkit-1/rules.d/51-require-active-session.rules|<nowiki> | ||
polkit.addRule(function(action, subject) { | polkit.addRule(function(action, subject) { | ||
if (action.id == "org.freedesktop.login1.suspend" && | if (action.id == "org.freedesktop.login1.suspend" && | ||
| Line 67: | Line 67: | ||
</nowiki>}} | </nowiki>}} | ||
The above | The above rule file depends on ''subject.active'' which is supported only when [[#Using polkit with elogind|polkit is used with Elogind]]. | ||
== See also == | == See also == | ||
Revision as of 04:01, 26 July 2025
Polkit is an authorization manager which is used for allowing unprivileged processes to speak to privileged processes through some form of inter-process communication mechanism like D-Bus.
Prerequisites
- Install and configure D-Bus.
- For graphical applications, polkit relies on elogind or Seatd to determine the identity of the user making a request.
Using polkit with elogind
For a feature-rich desktop experience, use polkit with elogind. Features like authentication agents can be used only with elogind. Install the polkit-elogind package and enable the polkit service using OpenRC.
# apk add polkit-elogind # rc-update add polkit # rc-service polkit start
Proceed to configure elogind, if not done already.
Using polkit with seatd
For a minimal desktop, polkit can be used with seatd with certain limitations. With Seatd, polkit rules can only evaluate group membership, resulting in a 'yes' or 'no' decision.
To proceed to use polkit with seatd, install the polkit package and enable the polkit service using OpenRC:
# apk add polkit # rc-update add polkit # rc-service polkit start
Authentication agents
Polkit authentication agent integration (for auth_self and auth_admin policies) helps coordinate the display of a password prompt to the active and local users.
For example, when an unprivileged user attempts to access a privileged location (such as by typing admin:// in the address bar of a File Manager) and a Polkit policy requires administrative authentication, a password dialogue will typically appear.
Polkit rule files
The following example rule files have been provided to show the limitations of seatd.
Example1
A sample polkit rule file /etc/polkit-1/rules.d/50-udisks.rules which allow automatic mounting of removable storage based on being a member of disk or storage group. This rule depends only on group membership which works with seatd:
Contents of /etc/polkit-1/rules.d/50-udisks.rules
The above polkit rule file is fully supported when used with both seatd and Elogind.
Example2
Elogind is required for "subject.active" rules and no AUTH_ADMIN, since polkit agents need POLKIT_IS_SUBJECT. Given below is a sample polkit rule file /etc/polkit-1/rules.d/51-require-active-session.rules which allow only active local sessions to suspend:
Contents of /etc/polkit-1/rules.d/51-require-active-session.rules
The above rule file depends on subject.active which is supported only when polkit is used with Elogind.