CINXE.COM

PolicyKit - Debian Wiki

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="X-UA-Compatible" content="IE=Edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="shortcut icon" href="/htdocs/favicon.ico"> <script type="text/javascript" src="/htdocs/bugstatus.js"></script> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"> <meta name="robots" content="noindex,nofollow"> <title>PolicyKit - Debian Wiki</title> <script type="text/javascript" src="/htdocs/common/js/common.js"></script> <script type="text/javascript"> <!-- var search_hint = "Search"; //--> </script> <link rel="stylesheet" type="text/css" charset="utf-8" media="all" href="/htdocs/debwiki/css/common.css"> <link rel="stylesheet" type="text/css" charset="utf-8" media="screen" href="/htdocs/debwiki/css/screen.css"> <link rel="stylesheet" type="text/css" charset="utf-8" media="print" href="/htdocs/debwiki/css/print.css"> <link rel="stylesheet" type="text/css" charset="utf-8" media="projection" href="/htdocs/debwiki/css/projection.css"> <link rel="stylesheet" type="text/css" charset="utf-8" media="all" href="/htdocs/debian-wiki-1.0.css"> <!-- css only for MS IE6/IE7 browsers --> <!--[if lt IE 8]> <link rel="stylesheet" type="text/css" charset="utf-8" media="all" href="/htdocs/debwiki/css/msie.css"> <![endif]--> <link rel="alternate" title="Debian Wiki: PolicyKit" href="/PolicyKit?diffs=1&amp;show_att=1&amp;action=rss_rc&amp;unique=0&amp;page=PolicyKit&amp;ddiffs=1" type="application/rss+xml"> <link rel="Start" href="/FrontPage"> <link rel="Alternate" title="Wiki Markup" href="/PolicyKit?action=raw"> <link rel="Alternate" media="print" title="Print View" href="/PolicyKit?action=print"> <link rel="Search" href="/FindPage"> <link rel="Index" href="/TitleIndex"> <link rel="Glossary" href="/WordIndex"> <link rel="Help" href="/HelpOnFormatting"> </head> <body lang="en" dir="ltr"> <div id="logo"><a href="https://www.debian.org" title="Debian Homepage"><img src="https://www.debian.org/Pics/openlogo-50.png" alt="Debian" width="50" height="61"></a></div> <div id="header"> <div id="wikisection"> <p class="section"><a href="/FrontPage" title="Debian Wiki Homepage">Wiki</a></p> <div id="username"><a href="/PolicyKit?action=login" id="login" rel="nofollow">Login</a></div> </div> <div id="navbar"> <ul id="navibar"> <li class="wikilink"><a href="/FrontPage">FrontPage</a></li><li class="wikilink"><a href="/RecentChanges">RecentChanges</a></li><li class="wikilink"><a href="/FindPage">FindPage</a></li><li class="wikilink"><a href="/HelpContents">HelpContents</a></li><li class="current"><a href="/PolicyKit">PolicyKit</a></li> </ul> </div> <form id="searchform" method="get" action="/PolicyKit"> <div> <input type="hidden" name="action" value="fullsearch"> <input type="hidden" name="context" value="180"> <label for="searchinput">Search:</label> <input id="searchinput" type="text" name="value" value="" size="20" onfocus="searchFocus(this)" onblur="searchBlur(this)" onkeyup="searchChange(this)" onchange="searchChange(this)" alt="Search"> <input id="titlesearch" name="titlesearch" type="submit" value="Titles" alt="Search Titles"> <input id="fullsearch" name="fullsearch" type="submit" value="Text" alt="Search Full Text"> </div> </form> <script type="text/javascript"> <!--// Initialize search form var f = document.getElementById('searchform'); f.getElementsByTagName('label')[0].style.display = 'none'; var e = document.getElementById('searchinput'); searchChange(e); searchBlur(e); //--> </script> <div id="logo"><a href="https://www.debian.org" title="Debian Homepage"><img src="https://www.debian.org/Pics/openlogo-50.png" alt="Debian" width="50" height="61"></a></div> <div id="breadcrumbs"><a href="/FrontPage" title="Debian Wiki Homepage">Wiki</a><span class="sep">/</span> </div> <ul class="editbar"><li><a href="/PolicyKit?action=login" id="login-1" rel="nofollow">Login</a></li><li class="toggleCommentsButton" style="display:none;"><a href="#" class="nbcomment" onClick="toggleComments();return false;">Comments</a></li><li><a class="nbinfo" href="/PolicyKit?action=info" rel="nofollow">Info</a></li><li><a class="nbattachments" href="/PolicyKit?action=AttachFile" rel="nofollow">Attachments</a></li><li> <form class="actionsmenu" method="GET" action="/PolicyKit"> <div> <label>More Actions:</label> <select name="action" onchange="if ((this.selectedIndex != 0) && (this.options[this.selectedIndex].disabled == false)) { this.form.submit(); } this.selectedIndex = 0;"> <option value="raw">Raw Text</option> <option value="print">Print View</option> <option value="RenderAsDocbook">Render as Docbook</option> <option value="show" disabled class="disabled">Delete Cache</option> <option value="show" disabled class="disabled">------------------------</option> <option value="SpellCheck">Check Spelling</option> <option value="LikePages">Like Pages</option> <option value="LocalSiteMap">Local Site Map</option> <option value="show" disabled class="disabled">------------------------</option> <option value="RenamePage" disabled class="disabled">Rename Page</option> <option value="DeletePage" disabled class="disabled">Delete Page</option> <option value="show" disabled class="disabled">------------------------</option> <option value="show" disabled class="disabled">Subscribe User</option> <option value="show" disabled class="disabled">------------------------</option> <option value="show" disabled class="disabled">Remove Spam</option> <option value="show" disabled class="disabled">Revert to this revision</option> <option value="PackagePages">Package Pages</option> <option value="show" disabled class="disabled">------------------------</option> <option value="Load">Load</option> <option value="Save">Save</option> <option value="SlideShow">SlideShow</option> </select> <input type="submit" value="Do"> </div> <script type="text/javascript"> <!--// Init menu actionsMenuInit('More Actions:'); //--> </script> </form> </li></ul> <h1 id="locationline"> <ul id="pagelocation"> <li><a href="/PolicyKit">PolicyKit</a></li> </ul> </h1> </div> <div id="page" lang="en" dir="ltr"> <div dir="ltr" id="content" lang="en"><span class="anchor" id="top"></span> <span class="anchor" id="line-1"></span><span class="anchor" id="line-2"></span><span class="anchor" id="line-3"></span><span class="anchor" id="line-4"></span><span class="anchor" id="line-5"></span><div><table style="&amp;quot; width: 100%; &amp;quot;"><tbody><tr> <td style="&amp;quot; border: 0px hidden&amp;quot;"><p class="line891"><small><a href="/DebianWiki/EditorGuide#translation">Translation(s)</a>: <a href="/PolicyKit">English</a> - <a href="/it/PolicyKit">Italiano</a></small></td> <td style="&amp;quot; text-align: right; border: 0px hidden&amp;quot;"><p class="line862"> <img alt="(!)" height="16" src="/htdocs/debwiki/img/idea.png" title="(!)" width="16" /> <a class="nonexistent" href="/PolicyKit/Discussion">?</a>Discussion</td> </tr> <p class="line891"></tbody></table></div><span class="anchor" id="line-7"></span><p class="line867"><hr /><p class="line874"> <span class="anchor" id="line-8"></span><div><table style="&amp;quot; float:right; width:100px; background:transparent; margin: 0 0 1em 1em; &amp;quot;"><tbody><tr> <td style="&amp;quot; padding:0.5em; border-style:none; &amp;quot;"><p class="line862"> <a class="http" href="http://screenshots.debian.net/screenshot/policykit-gnome"><img alt="Screenshot" class="external_image" src="http://screenshots.debian.net/thumbnail/policykit-gnome" title="Screenshot" width="160" /></a><br> <small><a class="interwiki" href="https://packages.debian.org/policykit-gnome" title="DebianPkg">policykit-gnome</a></small> </td> </tr> </tbody></table></div><span class="anchor" id="line-9"></span><span class="anchor" id="line-10"></span><p class="line867"><big>PolicyKit</big> is an application-level toolkit for defining and handling the policy that allows unprivileged processes to speak to privileged processes, in order to grant some user the right to perform some tasks in some situations. It is sometimes referred to as &quot;the sudo of systemd&quot;. <span class="anchor" id="line-11"></span><span class="anchor" id="line-12"></span><p class="line862">While <big>PolicyKit</big> has been replaced by polkit (which rewrote system component, breaking backwards compatibility) in many distributions, Debian continues to use <big>PolicyKit</big> from Debian 7 wheezy through Debian 10 buster. <span class="anchor" id="line-13"></span><span class="anchor" id="line-14"></span><p class="line874">Sample uses: <span class="anchor" id="line-15"></span><ul><li>Let the user Hibernate and shutdown the computer. <span class="anchor" id="line-16"></span></li><li>Let the user manage (Wireless) connections. <span class="anchor" id="line-17"></span></li><li>Let the user mount/eject a removable media (CD/DVD, USB keys...) <span class="anchor" id="line-18"></span></li><li>Let the user access devices, like audio, scanner, etc. <span class="anchor" id="line-19"></span></li></ul><p class="line862">As opposed to previous mechanisms used in GUI, PolicyKit, is a centralized place to define and enforce that policy. <span class="anchor" id="line-20"></span><span class="anchor" id="line-21"></span><p class="line862">For a general introduction, read <a class="http" href="http://lwn.net/Articles/258592/">http://lwn.net/Articles/258592/</a> or polkit(8)'s man page. <span class="anchor" id="line-22"></span><span class="anchor" id="line-23"></span><p class="line867"><a href="/ToDo"><strong class="highlight">ToDo</strong></a>: explain how it works. <span class="anchor" id="line-24"></span><span class="anchor" id="line-25"></span><p class="line867"> <h2 id="Configuration">Configuration</h2> <span class="anchor" id="line-26"></span><span class="anchor" id="line-27"></span><p class="line862">Policies installed locally should be installed to <tt class="backtick">/etc/polkit-1/localauthority/</tt>. <span class="anchor" id="line-28"></span><span class="anchor" id="line-29"></span><p class="line862">While modern examples of polkit typically demonstrate the use of javascript rules, PolicyKit does not support this and instead relies on the use of <tt class="backtick">*.conf</tt> and <tt class="backtick">*.pkla</tt> files. See <tt class="backtick">pklocalauthority(8)</tt>'s man page for details. <span class="anchor" id="line-30"></span><span class="anchor" id="line-31"></span><p class="line867"> <h3 id="Examples">Examples</h3> <span class="anchor" id="line-32"></span><span class="anchor" id="line-33"></span><p class="line862">To allow users of group <em>somegroup</em> to manage systemd services, create <tt class="backtick">/etc/polkit-1/localauthority/50-local.d/manage-units.pkla</tt> with the following content: <span class="anchor" id="line-34"></span><span class="anchor" id="line-35"></span><p class="line867"><span class="anchor" id="line-36"></span><span class="anchor" id="line-37"></span><span class="anchor" id="line-38"></span><span class="anchor" id="line-39"></span><span class="anchor" id="line-40"></span><pre><span class="anchor" id="line-1-1"></span>[Allow users to manage services] <span class="anchor" id="line-2-1"></span>Identity=unix-group:somegroup <span class="anchor" id="line-3-1"></span>Action=org.freedesktop.systemd1.manage-units <span class="anchor" id="line-4-1"></span>ResultActive=yes</pre><span class="anchor" id="line-41"></span><span class="anchor" id="line-42"></span><p class="line862">This is PolicyKit's equivalent of the following polkit rule which would be found at <tt class="backtick">/etc/polkit-1/rules.d/50-manage-units.rules</tt>: <span class="anchor" id="line-43"></span><span class="anchor" id="line-44"></span><p class="line867"><span class="anchor" id="line-45"></span><span class="anchor" id="line-46"></span><span class="anchor" id="line-47"></span><span class="anchor" id="line-48"></span><span class="anchor" id="line-49"></span><span class="anchor" id="line-50"></span><span class="anchor" id="line-51"></span><span class="anchor" id="line-52"></span><pre><span class="anchor" id="line-1-2"></span>polkit.addRule(function(action, subject) { <span class="anchor" id="line-2-2"></span> if (action.id == &quot;org.freedesktop.systemd1.manage-units&quot; <span class="anchor" id="line-3-2"></span> &amp;&amp; subject.isInGroup(&quot;somegroup&quot;) ) <span class="anchor" id="line-4-2"></span> { <span class="anchor" id="line-5-1"></span> return polkit.Result.YES; <span class="anchor" id="line-6"></span> } <span class="anchor" id="line-7-1"></span>});</pre><span class="anchor" id="line-53"></span><span class="anchor" id="line-54"></span><p class="line867"> <h3 id="Limitations">Limitations</h3> <span class="anchor" id="line-55"></span><p class="line867">PolicyKit in Debian does not currently (as of Debian 11) allow the implementation of fine grained permissions using the <tt class="backtick">lookup</tt> functionality which is available in polkit. e.g. Extending the above example to only allow start, stop and restart only of a single unit, with the polkit rules: <span class="anchor" id="line-56"></span><span class="anchor" id="line-57"></span><p class="line867"><span class="anchor" id="line-58"></span><span class="anchor" id="line-59"></span><span class="anchor" id="line-60"></span><span class="anchor" id="line-61"></span><span class="anchor" id="line-62"></span><pre><span class="anchor" id="line-1-3"></span> if (action.lookup(&quot;unit&quot;) == &quot;openvpn.service&quot;) { <span class="anchor" id="line-2-3"></span> var verb = action.lookup(&quot;verb&quot;); <span class="anchor" id="line-3-3"></span> if (verb == &quot;start&quot; || verb == &quot;stop&quot; || verb == &quot;restart&quot;) <span class="anchor" id="line-4-3"></span> }</pre><span class="anchor" id="line-63"></span><span class="anchor" id="line-64"></span><p class="line862">Is <strong>not</strong> currently possible with PolicyKit in Debian. <span class="anchor" id="line-65"></span><span class="anchor" id="line-66"></span><p class="line867"><span class="anchor" id="line-67"></span><p class="line867"><span class="anchor" id="line-68"></span><span class="anchor" id="line-69"></span><span class="anchor" id="line-70"></span><p class="line867"> <h2 id="See_also">See also</h2> <span class="anchor" id="line-71"></span><p class="line867"><span class="anchor" id="line-72"></span><ul><li><p class="line862">freedesktop.org project page for PolicyKit <small><br> <a class="https" href="https://www.freedesktop.org/wiki/Software/polkit/">https://www.freedesktop.org/wiki/Software/polkit/</a></small> <span class="anchor" id="line-73"></span><ul><li><p class="line891">PolicyKit Library Reference Manual <small><br> <a class="https" href="https://www.freedesktop.org/software/polkit/docs/0.105/">https://www.freedesktop.org/software/polkit/docs/0.105/</a> </small> <span class="anchor" id="line-74"></span></li><li><p class="line891">PolicyKit Specification <small><br> <a class="https" href="https://www.freedesktop.org/software/polkit/docs/0.105/polkit.8.html">https://www.freedesktop.org/software/polkit/docs/0.105/polkit.8.html</a></small> <span class="anchor" id="line-75"></span></li></ul></li><li><p class="line891"><a class="interwiki" href="https://manpages.debian.org/man/8/PolicyKit" title="DebianMan">PolicyKit(8)</a>, <a class="interwiki" href="https://manpages.debian.org/man/5/PolicyKit.conf" title="DebianMan">PolicyKit.conf(8)</a> <span class="anchor" id="line-76"></span></li><li><p class="line891"><a class="http" href="http://smcv.pseudorandom.co.uk/2015/why_polkit/">http://smcv.pseudorandom.co.uk/2015/why_polkit/</a> <span class="anchor" id="line-77"></span></li></ul><p class="line867"><hr /><p class="line874"> <span class="anchor" id="line-78"></span><a href="/CategorySystemAdministration">CategorySystemAdministration</a> <span class="anchor" id="line-79"></span><span class="anchor" id="bottom"></span></div><div id="pagebottom"></div> </div> <div id="footer"> <p id="pageinfo" class="info" lang="en" dir="ltr">PolicyKit (<a class="nbinfo" href="/PolicyKit?action=info" rel="nofollow">last modified 2022-03-10 15:42:38</a>)</p> <ul id="credits"> <li>Debian <a href="https://www.debian.org/legal/privacy">privacy policy</a>, Wiki <a href="/Teams/DebianWiki">team</a>, <a href="https://bugs.debian.org/wiki.debian.org">bugs</a> and <a href="https://salsa.debian.org/debian/wiki.debian.org">config</a>.</li><li>Powered by <a href="https://moinmo.in/" title="This site uses the MoinMoin Wiki software.">MoinMoin</a> and <a href="https://moinmo.in/Python" title="MoinMoin is written in Python.">Python</a>, with hosting provided by <a href="https://www.man-da.de/">Metropolitan Area Network Darmstadt</a>.</li> </ul> </div> </body> </html>

Pages: 1 2 3 4 5 6 7 8 9 10