Applies to SUSE Linux Enterprise Server 12 SP5

10 Authorization with Polkit #

Revision History: SUSE Linux Enterprise Server-Dokumentation

Polkit (formerly known as PolicyKit) is an application framework that acts as a negotiator between the unprivileged user session and the privileged system context. Whenever a process from the user session tries to carry out an action in the system context, Polkit is queried. Based on its configuration—specified in a so-called “policy”—the answer could be “yes”, “no”, or “needs authentication”. Unlike classical privilege authorization programs such as sudo, Polkit does not grant root permissions to an entire session, but only to the action in question.

10.1 Conceptual Overview #

Polkit works by limiting specific actions by users, by group, or by name. It then defines how those users are allowed to perform this action.

10.1.1 Available Authentication Agents #

When a user starts a session (using the graphical environment or on the console), each session consists of the authority and an authentication agent. The authority is implemented as a service on the system message bus, whereas the authentication agent is used to authenticate the current user, which started the session. The current user needs to prove their authenticity, for example, using a passphrase.

Each desktop environment has its own authentication agent. Usually it is started automatically, whatever environment you choose.

10.1.2 Structure of Polkit #

Polkit's configuration depends on actions and authorization rules:

Actions (file extension *.policy): Written as XML files and located in /usr/share/polkit-1/actions. Each file defines one or more actions, and each action contains descriptions and default permissions. Although a system administrator can write their own rules, Polkit's files must not be edited.
Authorization Rules (file extension *.rules): Written as JavaScript files and located in two places: /usr/share/polkit-1/rules.d is used for third party packages and /etc/polkit-1/rules.d for local configurations. Each rule file refers to the action specified in the action file. A rule determines what restrictions are allowed to a subset of users. For example, a rule file could overrule a restrictive permission and allow some users to allow it.

10.1.3 Available Commands #

Polkit contains several commands for specific tasks (see also the specific man page for further details):

pkaction: Get details about a defined action. See Section 10.3, “Querying Privileges” for more information.
pkcheck: Checks whether a process is authorized, specified by either --process or --system-bus-name.
pkexec: Allows an authorized user to execute the specific program as another user.
pkttyagent: Starts a textual authentication agent. This agent is used if a desktop environment does not have its own authentication agent.

10.1.4 Available Policies and Supported Applications #

At the moment, not all applications requiring privileges use Polkit. Find the most important policies available on SUSE® Linux Enterprise Server below, sorted into the categories where they are used.

PulseAudio

Set scheduling priorities for the PulseAudio daemon

CUPS

Add, remove, edit, enable or disable printers

GNOME

Modify system and mandatory values with GConf

Change the system time

libvirt

Manage and monitor local virtualized systems

NetworkManager

Apply and modify connections (only with the Workstation Extension for SUSE Linux Enterprise Server)

Polkit

Read and change privileges for other users

Modify defaults

PackageKit

Update and remove packages

Change and refresh repositories

Install local files

Rollback

Import repository keys

Accepting EULAs

Setting the network proxy

System

Wake on LAN

Mount or unmount fixed, hotpluggable and encrypted devices

Eject and decrypt removable media

Enable or disable WLAN

Enable or disable Bluetooth

Device access

Stop, suspend, hibernate and restart the system

Undock a docking station

Change power-management settings

YaST

Change the system time and language

10.2 Authorization Types #

Every time a Polkit-enabled process carries out a privileged operation, Polkit is asked whether this process is entitled to do so. Polkit answers according to the policy defined for this process. The answers can be yes, no, or authentication needed. By default, a policy contains implicit privileges, which automatically apply to all users. It is also possible to specify explicit privileges which apply to a specific user.

10.2.1 Implicit Privileges #

Implicit privileges can be defined for any active and inactive sessions. An active session is the one in which you are currently working. It becomes inactive when you switch to another console for example. When setting implicit privileges to “no”, no user is authorized, whereas “yes” authorizes all users. However, usually it is useful to demand authentication.

A user can either authorize by authenticating as root or by authenticating as self. Both authentication methods exist in four variants:

Authentication: The user always needs to authenticate.
One Shot Authentication: The authentication is bound to the instance of the program currently running. After the program is restarted, the user is required to authenticate again.
Keep Session Authentication: The authentication dialog offers a check button Remember authorization for this session. If checked, the authentication is valid until the user logs out.
Keep Indefinitely Authentication: The authentication dialog offers a check button Remember authorization. If checked, the user needs to authenticate only once.

10.2.2 Explicit Privileges #

Explicit privileges can be granted to specific users. They can either be granted without limitations, or, when using constraints, limited to an active session and/or a local console.

It is not only possible to grant privileges to a user, a user can also be blocked. Blocked users cannot carry out an action requiring authorization, even though the default implicit policy allows authorization by authentication.

10.2.3 Default Privileges #

Each application supporting Polkit comes with a default set of implicit policies defined by the application's developers. Those policies are the so-called “upstream defaults”. The privileges defined by the upstream defaults are not necessarily the ones that are activated by default on SUSE systems. SUSE Linux Enterprise Server comes with a predefined set of privileges that override the upstream defaults:

/etc/polkit-default-privs.standard: Defines privileges suitable for most desktop systems
/etc/polkit-default-privs.restrictive: Designed for machines administrated centrally. It is active by default.

To switch between the two sets of default privileges, adjust the value of POLKIT_DEFAULT_PRIVS to either restrictive or standard in /etc/sysconfig/security. Then run the command set_polkit_default_privs as root.

Do not modify the two files in the list above. To define your own custom set of privileges, use /etc/polkit-default-privs.local. For details, refer to Section 10.4.3, “Modifying Configuration Files for Implicit Privileges”.

10.3 Querying Privileges #

To query privileges use the command pkaction included in Polkit.

Polkit comes with command line tools for changing privileges and executing commands as another user (see Section 10.1.3, “Available Commands” for a short overview). Each existing policy has a speaking, unique name with which it can be identified. List all available policies with the command pkaction. See man pkaction for more information.

If you want to display the needed authorization for a given policy (for example, org.freedesktop.login1.reboot) use pkaction as follows:

pkaction -v --action-id=org.freedesktop.login1.reboot
org.freedesktop.login1.reboot:
  description:       Reboot the system
  message:           Authentication is required to allow rebooting the system
  vendor:            The systemd Project
  vendor_url:        http://www.freedesktop.org/wiki/Software/systemd
  icon:
  implicit any:      auth_admin_keep
  implicit inactive: auth_admin_keep
  implicit active:   yes

The keyword auth_admin_keep means that users need to enter a passphrase.

Note: Restrictions of pkaction on SUSE Linux Enterprise Server

pkaction always operates on the upstream defaults. Therefore it cannot be used to list or restore the defaults shipped with SUSE Linux Enterprise Server. To do so, refer to Section 10.5, “Restoring the Default Privileges”.

10.4 Modifying Configuration Files #

Adjusting privileges by modifying configuration files is useful when you want to deploy the same set of policies to different machines, for example to the computers of a specific team. It is possible to change implicit and explicit privileges by modifying configuration files.

10.4.1 Adding Action Rules #

The available actions depend on what additional packages you have installed on your system. For a quick overview, use pkaction to list all defined rules.

To get an idea, the following example describes how the command gparted (“GNOME Partition Editor”) is integrated into Polkit.

The file /usr/share/polkit-1/actions/org.opensuse.policykit.gparted.policy contains the following content:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
 "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">
<policyconfig> 1

  <action id="org-opensuse-policykit-gparted"> 2
    <message>Authentication is required to run the GParted Partition Editor</message>
    <icon_name>gparted</icon_name>
    <defaults> 3
      <allow_any>auth_admin</allow_any>
      <allow_inactive>auth_admin</allow_inactive>
     < allow_active>auth_admin</allow_active>
    </defaults>
    <annotate 4
      key="org.freedesktop.policykit.exec.path">/usr/sbin/gparted</annotate>
    <annotate 4
      key="org.freedesktop.policykit.exec.allow_gui">true</annotate>
  </action>

</policyconfig>

1	Root element of the policy file.
2	Contains one single action.
3	The `defaults` element contains several permissions used in remote sessions like SSH, VNC (element `allow_inactive`), when logged directly into the machine on a TTY or X display (element `allow_active`), or for both (element `allow_any`). The value `auth_admin` indicates authentication is required as an administrative user.
4	The `annotate` element contains specific information regarding how Polkit performs an action. In this case, it contains the path to the executable and states whether a GUI is allowed to open a X display.

To add your own policy, create a .policy file with the structure above, add the appropriate value into the id attribute, and define the default permissions.

10.4.2 Adding Authorization Rules #

Your own authorization rules overrule the default settings. To add your own settings, store your files under /etc/polkit-1/rules.d/.

The files in this directory start with a two-digit number, followed by a descriptive name, and end with .rules. Functions inside these files are executed in the order they have been sorted in. For example, 00-foo.rules is sorted (and hence executed) before 60-bar.rules or even 90-default-privs.rules.

Inside the file, the script checks for the specified action ID, which is defined in the .policy file. For example, if you want to allow the command gparted to be executed by any member of the admin group, check for the action ID org.opensuse.policykit.gparted:

/* Allow users in admin group to run GParted without authentication */
polkit.addRule(function(action, subject) {
    if (action.id == "org.opensuse.policykit.gparted" &&
        subject.isInGroup("admin")) {
        return polkit.Result.YES;
    }
});

Find the description of all classes and methods of the functions in the Polkit API at http://www.freedesktop.org/software/polkit/docs/latest/ref-api.html.

10.4.3 Modifying Configuration Files for Implicit Privileges #

SUSE Linux Enterprise Server ships with two sets of default authorizations, located in /etc/polkit-default-privs.standard and /etc/polkit-default-privs.restrictive. For more information, refer to Section 10.2.3, “Default Privileges”.

Custom privileges are defined in /etc/polkit-default-privs.local. Privileges defined here will always take precedence over the ones defined in the other configuration files. To define your custom set of privileges, do the following:

Open /etc/polkit-default-privs.local. To define a privilege, add a line for each policy with the following format:
```
<privilege_identifier>     <any session>:<inactive session>:<active session>
```
For example:
```
org.freedesktop.policykit.modify-defaults     auth_admin_keep_always
```
The following values are valid for the SESSION placeholders:
yes
grant privilege
no
block
auth_self
user needs to authenticate with own password every time the privilege is requested
auth_self_keep_session
user needs to authenticate with own password once per session, privilege is granted for the whole session
auth_self_keep_always
user needs to authenticate with own password once, privilege is granted for the current and for future sessions
auth_admin
user needs to authenticate with root password every time the privilege is requested
auth_admin_keep_session
user needs to authenticate with root password once per session, privilege is granted for the whole session
auth_admin_keep_always
user needs to authenticate with root password once, privilege is granted for the current and for future sessions
Run as root for changes to take effect:
```
# /sbin/set_polkit_default_privs
```
Optionally check the list of all privilege identifiers with the command pkaction.

10.5 Restoring the Default Privileges #

SUSE Linux Enterprise Server comes with a predefined set of privileges that is activated by default and thus overrides the upstream defaults. For details, refer to Section 10.2.3, “Default Privileges”.

Since the graphical Polkit tools and the command line tools always operate on the upstream defaults, SUSE Linux Enterprise Server includes an additional command-line tool, set_polkit_default_privs. It resets privileges to the values defined in /etc/polkit-default-privs.*. However, the command set_polkit_default_privs will only reset policies that are set to the upstream defaults.

Procedure 10.1: Restoring the SUSE Linux Enterprise Server Defaults #

Make sure /etc/polkit-default-privs.local does not contain any overrides of the default policies.
Important: Custom Policy Configuration
Policies defined in /etc/polkit-default-privs.local will be applied on top of the defaults during the next step.
To reset all policies to the upstream defaults first and then apply the SUSE Linux Enterprise Server defaults:
```
rm -f /var/lib/polkit/* && set_polkit_default_privs
```