Polkit

Polkit is an authorization manager which is used for allowing unprivileged processes to speak to privileged processes through some form of inter-process communication mechanism like D-Bus.

Prerequisites

Install and configure D-Bus.

Installation

For graphical applications, polkit relies on elogind or Seatd to determine the identity of the user making a request. To use the full features of polkit, using polkit with elogind is recommended.

Using polkit with elogind

For a feature-rich desktop experience, use polkit with elogind. Features like authentication agents can be used only with elogind. Install the polkit-elogind package and enable the polkit service using OpenRC.

# apk add polkit-elogind # rc-update add polkit # rc-service polkit start

Proceed to configure elogind, if not done already.

Using polkit with seatd

For a minimal desktop like Sway, polkit can be used with seatd with certain limitations. With Seatd, polkit rules can only evaluate group membership, resulting in a 'yes' or 'no' decision. Graphical, session aware authentication agents are not supported.

To proceed to use polkit with seatd, install the polkit package and enable the polkit service using OpenRC:

# apk add polkit # rc-update add polkit # rc-service polkit start

Authentication agents

Polkit authentication agent integration helps coordinate the display of a password prompt to the active and local users. When an unprivileged user attempts to access a privileged location (such as by typing admin:// in the address bar of a File Manager), when the appropriate polkit policy requires administrative authentication, a password dialogue will typically appear.

Note: Authentication agents will work only when polkit is used with elogind.

Some of the authentication agents available in Alpine linux is listed below:

For Xfce, install xfce-polkit as follows:

# apk add xfce-polkit

Polkit rule files

The following example rule files have been provided to show the limitations of seatd.

Example1

A sample polkit rule file /etc/polkit-1/rules.d/50-udisks.rules which allow automatic mounting of removable storage based on being a member of disk or storage group. This rule depends only on group membership which works with seatd:

Contents of /etc/polkit-1/rules.d/50-udisks.rules

polkit.addRule(function(action, subject) {
    if (subject.isInGroup("disk") || subject.isInGroup("storage")) &&
        (action.id == "org.freedesktop.udisks2.filesystem-mount" ||
         action.id == "org.freedesktop.udisks2.filesystem-mount-system" ||
	action.id == "org.freedesktop.udisks2.filesystem-unmount-others" ||  
         action.id == "org.freedesktop.udisks2.drive-eject" ||
         action.id == "org.freedesktop.udisks2.encrypted-unlock" ||
         action.id == "org.freedesktop.udisks2.power-off-drive")) {
        return polkit.Result.YES; // 
    }
});

The above polkit rule file is fully supported when used with both seatd and Elogind.

Example2

Elogind is required for "subject.active" rules and no AUTH_ADMIN, since polkit agents need POLKIT_IS_SUBJECT. Given below is a sample polkit rule file /etc/polkit-1/rules.d/51-require-active-session.rules which allow only active local sessions to suspend:

Contents of /etc/polkit-1/rules.d/51-require-active-session.rules

 
    polkit.addRule(function(action, subject) {
        if (action.id == "org.freedesktop.login1.suspend" &&
            subject.active) {
            return polkit.Result.YES;
        } else if (action.id == "org.freedesktop.login1.suspend") {
            return polkit.Result.NO; // Or polkit.Result.AUTH_ADMIN to prompt for password
        }
    });

The above rule file depends on subject.active which is supported only when polkit is used with Elogind.