Polkit: Difference between revisions
Prabuanand (talk | contribs) m (reworded sentence) |
Prabuanand (talk | contribs) (added new section and list of Authentication agents) |
||
| Line 20: | Line 20: | ||
== Using polkit with seatd == | == Using polkit with seatd == | ||
For a minimal [[Desktop environments and Window managers|desktop]], polkit can be used with [[Seatd#Polkit|seatd with certain limitations]]. With Seatd, polkit rules can only evaluate group membership, resulting in a 'yes' or 'no' decision. | For a minimal [[Desktop environments and Window managers|desktop]], polkit can be used with [[Seatd#Polkit|seatd with certain limitations]]. With Seatd, polkit rules can only evaluate group membership, resulting in a 'yes' or 'no' decision. Graphical, session aware [[#Authentication agents|authentication agents]] are not supported. | ||
To proceed to use polkit with seatd, install the {{Pkg|polkit}} package and enable the {{ic|polkit}} service using [[OpenRC]]: {{Cmd|<nowiki># apk add polkit | To proceed to use polkit with seatd, install the {{Pkg|polkit}} package and enable the {{ic|polkit}} service using [[OpenRC]]: {{Cmd|<nowiki># apk add polkit | ||
| Line 28: | Line 28: | ||
== Authentication agents == | == Authentication agents == | ||
Polkit authentication agent integration | Polkit authentication agent integration helps coordinate the display of a password prompt to the active and local users. | ||
When an unprivileged user attempts to access a privileged location (such as by typing admin:// in the address bar of a [[File_management#File_managers|File Manager]]), when the appropriate polkit policy requires administrative authentication, a password dialogue will typically appear. | |||
For | {{Note|Authentication agents will work only when [[#Using polkit with elogind|polkit is used with elogind]].}} | ||
Some of the authentication agents available in Alpine linux is listed below: | |||
* {{Pkg|xfce-polkit}} | |||
* {{pkg|mate-polkit}} | |||
* {{pkg|polkit-gnome}} | |||
* {{pkg|polkit-kde-agent}} | |||
For [[Xfce]], install {{Pkg|xfce-polkit}} as follows:{{Cmd|# apk add {{Pkg|xfce-polkit}}}} | |||
== Enabling privilege escalation GUI == | |||
To enable the privilege escalation GUI for an [[Setting_up_a_new_user#Admin_user|admin user]], install the appropriate [[#Authentication agents|authentication agent]] for the desktop environment and ensure that [[#Using polkit with elogind|polkit is used with elogind]]. | |||
Ensure that the authentication agent is autostarted along with the desktop environment. | |||
If the above steps are completed, When {{ic|admin://}} is typed in the address bar of [[File_management#File_managers|File Manager]], a password dialogue will appear. | |||
== Polkit rule files == | == Polkit rule files == | ||
Revision as of 10:50, 7 August 2025
Polkit is an authorization manager which is used for allowing unprivileged processes to speak to privileged processes through some form of inter-process communication mechanism like D-Bus.
Prerequisites
- Install and configure D-Bus.
- For graphical applications, polkit relies on elogind or Seatd to determine the identity of the user making a request.
Using polkit with elogind
For a feature-rich desktop experience, use polkit with elogind. Features like authentication agents can be used only with elogind. Install the polkit-elogind package and enable the polkit service using OpenRC.
# apk add polkit-elogind # rc-update add polkit # rc-service polkit start
Proceed to configure elogind, if not done already.
Using polkit with seatd
For a minimal desktop, polkit can be used with seatd with certain limitations. With Seatd, polkit rules can only evaluate group membership, resulting in a 'yes' or 'no' decision. Graphical, session aware authentication agents are not supported.
To proceed to use polkit with seatd, install the polkit package and enable the polkit service using OpenRC:
# apk add polkit # rc-update add polkit # rc-service polkit start
Authentication agents
Polkit authentication agent integration helps coordinate the display of a password prompt to the active and local users. When an unprivileged user attempts to access a privileged location (such as by typing admin:// in the address bar of a File Manager), when the appropriate polkit policy requires administrative authentication, a password dialogue will typically appear.
Some of the authentication agents available in Alpine linux is listed below:
For Xfce, install xfce-polkit as follows:
# apk add xfce-polkit
Enabling privilege escalation GUI
To enable the privilege escalation GUI for an admin user, install the appropriate authentication agent for the desktop environment and ensure that polkit is used with elogind.
Ensure that the authentication agent is autostarted along with the desktop environment.
If the above steps are completed, When admin:// is typed in the address bar of File Manager, a password dialogue will appear.
Polkit rule files
The following example rule files have been provided to show the limitations of seatd.
Example1
A sample polkit rule file /etc/polkit-1/rules.d/50-udisks.rules which allow automatic mounting of removable storage based on being a member of disk or storage group. This rule depends only on group membership which works with seatd:
Contents of /etc/polkit-1/rules.d/50-udisks.rules
The above polkit rule file is fully supported when used with both seatd and Elogind.
Example2
Elogind is required for "subject.active" rules and no AUTH_ADMIN, since polkit agents need POLKIT_IS_SUBJECT. Given below is a sample polkit rule file /etc/polkit-1/rules.d/51-require-active-session.rules which allow only active local sessions to suspend:
Contents of /etc/polkit-1/rules.d/51-require-active-session.rules
The above rule file depends on subject.active which is supported only when polkit is used with Elogind.