You are currently browsing comments. If you would like to return to the full story, you can read the full entry here: “A brief guide to PolicyKit”.
|
|||||
|
|
A brief guide to PolicyKitYou are currently browsing comments. If you would like to return to the full story, you can read the full entry here: “A brief guide to PolicyKit”. 12 comments to A brief guide to PolicyKitLeave a Reply |
||||
|
Copyright © 2013 Scarygliders - All Rights Reserved Powered by WordPress & Atahualpa |
|||||
Thanks for this primer. It's a very good quick-start to understanding the overall strucuture of policykit. Now it's just a matter of sorting through all the options and seeing what can be set, and what should be tweaked based on requirements.
George, precisely, you nailed it.
And I'm beginning to make a little progress in writing my new PolicyKit editor utility in Python.
This will be my first Python program so v1.0 will probably be full of naive methodology compared to an experienced Python programmer ;)
Regards
Kev.
Hi Kevin,
Very good article. I am a newbie using Ubuntu and am using xrdp to connect to Ubuntu 12.04 LTS desktop edition. Based on your article, I have updated org.freedesktop.udisks.policy to allow_inactive to “yes”.
Still I am unable to access any NTFS drives or connect to any USB drives via xrdp. I get an error “Not authorised”. This however is not the case when logging into the desktop directly. Is there something additional that needs to be done or does this applies to server editions?
Thanks
Vikash
Which particular action did you modify? There are lots within that xml file :)
I have update the following all to "yes":
Mount a device
Mount a system-internal device
Check file system on a device
Check file system of a system-internal device
Detach a drive
Thanks
I'll have a look into that – it may be you need to set additional permissions – I don't know which particular set is required to be able to mount an NTFS filesystem – there's no real documentation on HOW distros are configuring their systems.
Also, are you sure you just want to set all that to "yes" ? You should really set them to whatever their <allow_active> counterparts are set to. "yes" would give ALL remote users free permission for that action. Just sayin'
Hi,
I'd like to recommend something different from the approach you're taking. While this is less of a chainsaw approach than what you suggested about allowing all in admin group full access (Don't know what you suggested, but I think i know what you did, having to do with altering polkit behavior given the outcome was a blanket "yes" to everything). You know, you weren't totally wrong with that approach. You can be far more granular in your permissions and overrides to the policydkit actions in /usr/share/polkit-1/actions by instituting specific overrides in the folders within /etc/polkit-1/localauthority/ .
Here's an example I've used before: You can do stuff like "for NetworkManager utility, allow all users in "ADMIN" group to make changes with admin auth, but not user xyz:
In /etc/polkit-1/localauthority/30-site.d/netmanager.pkla:
Identity=unix-group:admin
Action=org.freedesktop.NetworkManager.network-control;org.freedesktop.NetworkManager.settings.modify.own;org.freedesktop.NetworkManager.use-user-connections
ResultAny=yes
ResultInactive=auth_admin
ResultActive=yes
And in /etc/polkit-1/localauthority/60-local.d/netmanager.pkla:
Identity=unix-user:xyz
Action=org.freedesktop.NetworkManager.network-control;org.freedesktop.NetworkManager.settings.modify.own;org.freedesktop.NetworkManager.use-user-connections
ResultAny=no
ResultInactive=no
ResultActive=no
/SM
Hi.
I found that editing the original polkit-1 files in /usr/share/polkit-1/actions folder resulted in being overwritten. So I folowed SM's lead to prevent any of my overridden policies from being wiped out.
In order to be able to mount/unmount local partitions via remote desktop (RDP, NX, etc) I needed to create a policy for these actions : org.freedesktop.udisks.filesystem-mount;org.freedesktop.udisks.filesystem-mount-system-internal.
From a terminal I ssh'd into the remote machine and then ran "sudo nano /etc/polkit-1/localauthority/50-local.d/udisks.pkla". I then added these lines to the file:
[Allow adm group users to mount and unmount local disks]
Identity=unix-group:adm
Action=org.freedesktop.udisks.filesystem-mount;org.freedesktop.udisks.filesystem-mount-system-internal
ResultAny=yes
ResultInactive=auth_admin
ResultActive=yes
Saved the file and logged out. Then logged in to the remote machine via NX and mounted drives via Nautilus and the command line using "udisks" with no problems.
Hope this helps someone.
Priyend
I’ve modified the policies correctly to allow remote updates, upgrades, installations through synaptic, packagekit, and pkexec. I utilized /usr/share/polkit-1/actions/ and modified the following policies.
org.freedesktop.packagekit.policy
org.freedesktop.packagekit.cancel-foreign no:auth_admin_keep:auth_admin_keep
org.freedesktop.packagekit.package-install no:auth_admin_keep:auth_admin_keep
org.freedesktop.packagekit.package-install-untrusted no:auth_admin_keep:auth_admin_keep
org.freedesktop.packagekit.system-trust-signing-key no:auth_admin:auth_admin
org.freedesktop.packagekit.package-eula-accept no:yes:yes
org.freedesktop.packagekit.package-remove no:auth_admin_keep:auth_admin_keep
org.freedesktop.packagekit.system-update no:yes:yes
org.freedesktop.packagekit.system-rollback no:auth_admin:auth_admin
org.freedesktop.packagekit.system-sources-configure no:auth_admin_keep:auth_admin_keep
org.freedesktop.packagekit.system-sources-refresh no:yes:yes
org.freedesktop.packagekit.system-network-proxy-configure no:yes:yes
org.freedesktop.packagekit.system-change-install-root no:auth_admin_keep:auth_admin_keep
org.freedesktop.packagekit.device-rebind no:auth_admin_keep:auth_admin_keep
org.freedesktop.packagekit.upgrade-system no:auth_admin:auth_admin
org.freedesktop.policykit.policy
org.freedesktop.policykit.exec auth_admin:auth_admin:auth_admin
org.freedesktop.policykit.lockdown auth_admin:auth_admin:auth_admin
org.freedesktop.consolekit.policy
org.freedesktop.consolekit.system.stop no:yes:yes
org.freedesktop.consolekit.system.stop-multiple-users no:auth_admin_keep:auth_admin_keep
org.freedesktop.consolekit.system.restart no:yes:yes
org.freedesktop.consolekit.system.restart-multiple-users no:auth_admin_keep:auth_admin_keep
After modifying these policies, I’m still not able to access Synaptic remotely. Am I modifying the wrong policies?
Hi,
basically replacing all allow_inactive with the values of the allow_active is a one liner when you use xmlstarlet.
Just install xmlstarlet (via standard repositoriy in Ubuntu, for example). Then changing all values is nothing more than (example):
xmlstarlet ed -u “//action/defaults/allow_inactive” -x “../allow_active/text()” org.freedesktop.udisks.policy
Creating a littel script with feeding all files and piping the result to a separate directory I leave for the precious user ;-)
Cheers,
Matt
[...] A brief guide to PolicyKit [...]
[...] to some research from here as a point of reference as to where I might find these policykit [...]