Polkit

Polkit is an authorization manager which is used for allowing unprivileged processes to speak to privileged processes through some form of inter-process communication mechanism like D-Bus.

Prerequisites

Install and configure D-Bus.
For graphical applications, polkit relies on elogind or Seatd to determine the identity of the user making a request.

Tip: To use full features of polkit, using polkit with elogind is recommended.

Using polkit with elogind

Polkit is mandatory for elogind, as it is needed for authentication. The full features of polkit can be used only with elogind. Install the polkit-elogind package and enable the polkit service using OpenRC.

# apk add polkit-elogind # rc-update add polkit # rc-service polkit start

Proceed to configure elogind, if not done already.

Using polkit with seatd

Polkit can be used for authentication with seatd with certain limitations. With Seatd, polkit rules can only evaluate group membership, resulting in a 'yes' or 'no' decision.

To proceed to use polkit with seatd, install the polkit package and enable the polkit service using OpenRC:

# apk add polkit # rc-update add polkit # rc-service polkit start

Proceed to configure seatd, if not done already.

Polkit rule files

The following example rule files have been provided to show the limitations of seatd.

Example1

A sample polkit rule file /etc/polkit-1/rules.d/50-udisks.rules which allow automatic mounting of removable storage based on being a member of disk or storage group. This rule depends only on group membership which works with seatd:

Contents of /etc/polkit-1/rules.d/50-udisks.rules

polkit.addRule(function(action, subject) {
    if (subject.isInGroup("disk") || subject.isInGroup("storage")) &&
        (action.id == "org.freedesktop.udisks2.filesystem-mount" ||
         action.id == "org.freedesktop.udisks2.filesystem-mount-system" ||
	action.id == "org.freedesktop.udisks2.filesystem-unmount-others" ||  
         action.id == "org.freedesktop.udisks2.drive-eject" ||
         action.id == "org.freedesktop.udisks2.encrypted-unlock" ||
         action.id == "org.freedesktop.udisks2.power-off-drive")) {
        return polkit.Result.YES; // 
    }
});

The above polkit rule file is fully supported when used with both seatd and Elogind.

Example2

Elogind is required for "subject.active" rules and no AUTH_ADMIN, since polkit agents need POLKIT_IS_SUBJECT. Given below is a sample polkit rule file /etc/polkit-1/rules.d/51-require-active-session.rules which allow only active local sessions to suspend based on subject.active which requires Elogind can be as follows:

Contents of /etc/polkit-1/rules.d/51-require-active-session.rules

 
    polkit.addRule(function(action, subject) {
        if (action.id == "org.freedesktop.login1.suspend" &&
            subject.active) {
            return polkit.Result.YES;
        } else if (action.id == "org.freedesktop.login1.suspend") {
            return polkit.Result.NO; // Or polkit.Result.AUTH_ADMIN to prompt for password
        }
    });

The above polkit rule file is supported only when used with Elogind

Authentication agents

Polkit authentication agent integration (for auth_self and auth_admin policies) helps coordinate the display of a password prompt to the active and local users.

For example, when an unprivileged user attempts to access a privileged location (such as by typing admin:// in the address bar of a File Manager) and a Polkit policy requires administrative authentication, a password dialogue will typically appear.