Sponsored Links

A brief guide to PolicyKit

Like the title suggests, this will be relatively brief – mostly because Policykit isn’t as difficult to understand as I originally led myself to believe.

It all sprang from starting to write about how to get X11rdp/xrdp up and running on your Linux systems. Sure, getting the desktop up remotely in a fast efficient way was nice – but it soon became apparent to RDP users that not all was well – RDP users couldn’t do some of the nice convenient things that local desktoip users could do.

Now, I looked into it at the time I was writing my utilities, and came across a “solution” which was to bring in all the current PolicyKit actions, then give them a blanket “YES” to all users in the “admin” group, and that seemed to solve the problem. But it would only work for systems which had an “admin” group, and only then for members of the admin group – and so mostly, it didn’t really work – and I’m actually glad it didn’t because giving users carte blanche access to do stuff like reboot your server is a VERY bad thing.

So I set about to make sure I really understood how PolicyKit works, and, actually, it’s not so difficult.

Basically, to PolicyKit, there are two types of login sessions; “Active”, or “Inactive”.

Your session is classed as being “Active”, if you are logged into a server directly either from a text TTY display console, or locally on an X Display – again directly on the system.

Your session is classed as being “Inactive”, if you are logged in “remotely” – for example, if you have SSH’ed in from another machine, or if you have logged in via VNC, RDP, NX, etc.

The way PolicyKit is set up by default on the Debian-based systems I’ve seen – that’s Debian, Ubuntu, etc. systems – PolicyKit is configured to treat “Inactive” sessions (i.e. remotely logged in) differently from “Active” (i.e. locally logged in) sessions.

The current PolicyKit policies are known as “actions”.

These Actions are stored at the location /usr/share/polkit-1/actions . On one of my Debian workstations currently these files are located within that directory;

 

com.hp.hplip.policy                        org.freedesktop.modem-manager.policy        org.gnome.settingsdaemon.datetimemechanism.policy
com.ubuntu.pkexec.gparted.policy           org.freedesktop.packagekit.policy           org.gnome.settings-daemon.plugins.power.policy
com.ubuntu.pkexec.synaptic.policy          org.freedesktop.policykit.policy            org.gnome.settings-daemon.plugins.wacom.policy
com.ubuntu.softwareproperties.policy       org.freedesktop.RealtimeKit1.policy         org.kde.fontinst.policy
org.debian.apt.policy                      org.freedesktop.SystemToolsBackends.policy  org.kde.kcontrol.kcmclock.policy
org.debian.aptxapianindex.policy           org.freedesktop.udisks.policy               org.kde.kcontrol.kcmkdm.policy
org.debian.pkexec.gnome-system-log.policy  org.freedesktop.upower.policy               org.kde.kcontrol.kcmremotewidgets.policy
org.freedesktop.accounts.policy            org.freedesktop.upower.qos.policy           org.kde.ksysguard.processlisthelper.policy
org.freedesktop.color.policy               org.gnome.cpufreqselector.policy            org.kde.powerdevil.backlighthelper.policy
org.freedesktop.consolekit.policy          org.gnome.gconf.defaults.policy             org.opensuse.cupspkhelper.mechanism.policy
Another way to list what PolicyKit actions are known to the system, is to use the pkaction command. You’ll get this output from it;
# pkaction 
com.hp.hplip.installplugin
com.ubuntu.pkexec.gparted
com.ubuntu.pkexec.synaptic
com.ubuntu.softwareproperties.applychanges
org.debian.apt.cancel-foreign
org.debian.apt.change-config
org.debian.apt.change-repository
org.debian.apt.clean
org.debian.apt.get-trusted-vendor-keys
org.debian.apt.install-file
org.debian.apt.install-or-remove-packages
org.debian.apt.install-packages-from-new-repo
org.debian.apt.install-purchased-packages
org.debian.apt.set-proxy
org.debian.apt.update-cache
org.debian.apt.upgrade-packages
org.debian.aptxapianindex.update
org.debian.pkexec.gnome-system-log.run
org.freedesktop.ModemManager.Contacts
org.freedesktop.ModemManager.Device.Control
org.freedesktop.ModemManager.Device.Info
org.freedesktop.ModemManager.Location
org.freedesktop.ModemManager.SMS
org.freedesktop.ModemManager.USSD
org.freedesktop.RealtimeKit1.acquire-high-priority
org.freedesktop.RealtimeKit1.acquire-real-time
org.freedesktop.accounts.change-own-user-data
org.freedesktop.accounts.set-login-option
org.freedesktop.accounts.user-administration
org.freedesktop.color-manager.create-device
org.freedesktop.color-manager.create-profile
org.freedesktop.color-manager.delete-device
org.freedesktop.color-manager.delete-profile
org.freedesktop.color-manager.device-inhibit
org.freedesktop.color-manager.install-system-wide
org.freedesktop.color-manager.modify-device
org.freedesktop.color-manager.modify-profile
org.freedesktop.color-manager.sensor-lock
org.freedesktop.consolekit.system.restart
org.freedesktop.consolekit.system.restart-multiple-users
org.freedesktop.consolekit.system.stop
org.freedesktop.consolekit.system.stop-multiple-users
org.freedesktop.packagekit.cancel-foreign
org.freedesktop.packagekit.device-rebind
org.freedesktop.packagekit.package-eula-accept
org.freedesktop.packagekit.package-install
org.freedesktop.packagekit.package-install-untrusted
org.freedesktop.packagekit.package-remove
org.freedesktop.packagekit.repair-system
org.freedesktop.packagekit.system-change-install-root
org.freedesktop.packagekit.system-network-proxy-configure
org.freedesktop.packagekit.system-rollback
org.freedesktop.packagekit.system-sources-configure
org.freedesktop.packagekit.system-sources-refresh
org.freedesktop.packagekit.system-trust-signing-key
org.freedesktop.packagekit.system-update
org.freedesktop.packagekit.upgrade-system
org.freedesktop.policykit.exec
org.freedesktop.policykit.lockdown
org.freedesktop.systemtoolsbackends.self.set
org.freedesktop.systemtoolsbackends.set
org.freedesktop.udisks.cancel-job-others
org.freedesktop.udisks.change
org.freedesktop.udisks.change-system-internal
org.freedesktop.udisks.drive-ata-smart-refresh
org.freedesktop.udisks.drive-ata-smart-retrieve-historical-data
org.freedesktop.udisks.drive-ata-smart-selftest
org.freedesktop.udisks.drive-detach
org.freedesktop.udisks.drive-eject
org.freedesktop.udisks.drive-set-spindown
org.freedesktop.udisks.filesystem-check
org.freedesktop.udisks.filesystem-check-system-internal
org.freedesktop.udisks.filesystem-lsof
org.freedesktop.udisks.filesystem-lsof-system-internal
org.freedesktop.udisks.filesystem-mount
org.freedesktop.udisks.filesystem-mount-system-internal
org.freedesktop.udisks.filesystem-unmount-others
org.freedesktop.udisks.inhibit-polling
org.freedesktop.udisks.linux-lvm2
org.freedesktop.udisks.linux-md
org.freedesktop.udisks.luks-lock-others
org.freedesktop.udisks.luks-unlock
org.freedesktop.upower.hibernate
org.freedesktop.upower.qos.cancel-request
org.freedesktop.upower.qos.request-latency
org.freedesktop.upower.qos.request-latency-persistent
org.freedesktop.upower.qos.set-minimum-latency
org.freedesktop.upower.suspend
org.gnome.cpufreqselector
org.gnome.gconf.defaults.set-mandatory
org.gnome.gconf.defaults.set-system
org.gnome.settings-daemon.plugins.power.backlight-helper
org.gnome.settings-daemon.plugins.wacom.wacom-led-helper
org.gnome.settingsdaemon.datetimemechanism.configure
org.kde.fontinst.manage
org.kde.kcontrol.kcmclock.save
org.kde.kcontrol.kcmkdm.managefaces
org.kde.kcontrol.kcmkdm.managethemes
org.kde.kcontrol.kcmkdm.save
org.kde.kcontrol.kcmremotewidgets.save
org.kde.ksysguard.processlisthelper.changecpuscheduler
org.kde.ksysguard.processlisthelper.changeioscheduler
org.kde.ksysguard.processlisthelper.renice
org.kde.ksysguard.processlisthelper.sendsignal
org.kde.powerdevil.backlighthelper.brightness
org.kde.powerdevil.backlighthelper.setbrightness
org.opensuse.cupspkhelper.mechanism.all-edit
org.opensuse.cupspkhelper.mechanism.class-edit
org.opensuse.cupspkhelper.mechanism.devices-get
org.opensuse.cupspkhelper.mechanism.job-edit
org.opensuse.cupspkhelper.mechanism.job-not-owned-edit
org.opensuse.cupspkhelper.mechanism.printer-enable
org.opensuse.cupspkhelper.mechanism.printer-local-edit
org.opensuse.cupspkhelper.mechanism.printer-remote-edit
org.opensuse.cupspkhelper.mechanism.printer-set-default
org.opensuse.cupspkhelper.mechanism.printeraddremove
org.opensuse.cupspkhelper.mechanism.server-settings
Clearly, there are more actions listed from the pkaction command than there appear to be in the directory listing above, so what’s going on?
Well let’s look at one of the actions in the /usr/share/polkit-1/actions directory above, namely org.freedesktop.udisks.policy .
Notice in the output from pkaction above there are a number of similarly named actions;
org.freedesktop.udisks.cancel-job-others
org.freedesktop.udisks.change
org.freedesktop.udisks.change-system-internal
org.freedesktop.udisks.drive-ata-smart-refresh
org.freedesktop.udisks.drive-ata-smart-retrieve-historical-data
org.freedesktop.udisks.drive-ata-smart-selftest
org.freedesktop.udisks.drive-detach
org.freedesktop.udisks.drive-eject
org.freedesktop.udisks.drive-set-spindown
org.freedesktop.udisks.filesystem-check
org.freedesktop.udisks.filesystem-check-system-internal
org.freedesktop.udisks.filesystem-lsof
org.freedesktop.udisks.filesystem-lsof-system-internal
org.freedesktop.udisks.filesystem-mount
org.freedesktop.udisks.filesystem-mount-system-internal
org.freedesktop.udisks.filesystem-unmount-others
org.freedesktop.udisks.inhibit-polling
Let’s look at the contents of the file /usr/share/polkit-1/actions/org.freedesktop.udisks.policy;
# cat org.freedesktop.udisks.policy
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
 "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">
<policyconfig>
  <vendor>The udisks Project</vendor>
  <vendor_url>http://udisks.freedesktop.org/</vendor_url>
  <icon_name>drive-removable-media</icon_name>
  <action id="org.freedesktop.udisks.filesystem-mount">
    <description>Mount a device</description>
    <description xml:lang="da">Montér en enhed</description>
    <description xml:lang="de">Gerät einhängen</description>
    <description xml:lang="pt_BR">Montar um dispositivo</description>
    <message>Authentication is required to mount the device</message>
    <message xml:lang="da">Autorisering er påkrævet for at montere et fil system</message>
    <message xml:lang="de">Zugriffsrechte werden benötigt um das Gerät einzuhängen</message>
    <message xml:lang="pt_BR">Autenticação é requerida para montar o dispositivo</message>
    <defaults>
      <allow_any>no</allow_any>
      <allow_inactive>no</allow_inactive>
      <allow_active>yes</allow_active>
    </defaults>
  </action>
  <action id="org.freedesktop.udisks.filesystem-mount-system-internal">
    <description>Mount a system-internal device</description>
    <description xml:lang="da">Montér en intern enhed</description>
    <description xml:lang="de">Eingebautes Gerät einhängen</description>
    <description xml:lang="pt_BR">Montar um dispositivo interno</description>
    <message>Authentication is required to mount the device</message>
    <message xml:lang="da">Autorisering er påkrævet for at montere et fil system</message>
    <message xml:lang="de">Zugriffsrechte werden benötigt um das Gerät einzuhängen</message>
    <message xml:lang="pt_BR">Autenticação é requerida para montar o dispositivo</message>
    <defaults>
      <allow_any>no</allow_any>
      <allow_inactive>no</allow_inactive>
      <allow_active>auth_admin_keep</allow_active>
    </defaults>
  </action>
  <action id="org.freedesktop.udisks.filesystem-check">
    <description>Check file system on a device</description>
    <description xml:lang="da">Check fil system for en enhed</description>
    <description xml:lang="de">Dateisystem auf einem Gerät prüfen</description>
    <description xml:lang="pt_BR">Verificar o sistema de arquivos de um dispositivo</description>
    <message>Authentication is required to check the file system on the device</message>
    <message xml:lang="da">Autorisering er påkrævet for at checke fil systemet på en enhed</message>
    <message xml:lang="de">Zugriffsrechte werden benötigt um das Dateisystem auf dem Gerät zu prüfen</message>
    <message xml:lang="pt_BR">Autenticação é requerida para verificar o sistema de arquivos no dispositivo</message>
    <defaults>
      <allow_any>no</allow_any>
      <allow_inactive>no</allow_inactive>
      <allow_active>yes</allow_active>
    </defaults>
  </action>
  <action id="org.freedesktop.udisks.filesystem-check-system-internal">
    <description>Check file system of a system-internal device</description>
    <description xml:lang="da">Check fil system for en intern enhed</description>
    <description xml:lang="de">Dateisystem auf einem eingebauten Gerät prüfen</description>
    <description xml:lang="pt_BR">Verificar o sistema de arquivos de um dispositivo interno</description>
    <message>Authentication is required to check the file system on the device</message>
    <message xml:lang="da">Autorisering er påkrævet for at checke fil systemet på en enhed</message>
    <message xml:lang="de">Zugriffsrechte werden benötigt um das Dateisystem auf dem Gerät zu prüfen</message>
    <message xml:lang="pt_BR">Autenticação é requerida para verificar o sistema de arquivos no dispositivo</message>
    <defaults>
      <allow_any>no</allow_any>
      <allow_inactive>no</allow_inactive>
      <allow_active>auth_admin_keep</allow_active>
    </defaults>
  </action>
  <action id="org.freedesktop.udisks.filesystem-unmount-others">
    <description>Unmount a device mounted by another user</description>
    <description xml:lang="da">Afmontér en enhed monteret af en anden bruger</description>
    <description xml:lang="de">Gerät eines anderen Benutzers aushängen</description>
    <description xml:lang="pt_BR">Desmontar um dispositivo montado por um outro usuaŕio</description>
    <message>Authentication is required to unmount devices mounted by another user</message>
    <message xml:lang="da">Autorisering er påkrævet for at afmontere enheder monteret af en anden bruger</message>
    <message xml:lang="de">Zugriffsrechte werden benötigt um ein Gerät auszuhängen, das ein anderer Benutzer eingehängt hat</message>
    <message xml:lang="pt_BR">Autenticação é requerida para desmontar dispositivos montados por um outro usuário</message>
    <defaults>
      <allow_any>no</allow_any>
      <allow_inactive>no</allow_inactive>
      <allow_active>auth_admin</allow_active>
    </defaults>
  </action>
  <action id="org.freedesktop.udisks.filesystem-lsof">
    <description>List open files</description>
    <description xml:lang="da">Vis åbne filer</description>
    <description xml:lang="de">Offene Dateien anzeigen</description>
    <description xml:lang="pt_BR">Listar arquivos abertos</description>
    <message>Authentication is required to list open files on a mounted file system</message>
    <message xml:lang="da">Autorisering er påkrævet for at liste åbne filer</message>
    <message xml:lang="de">Zugriffsrechte werden benötigt um offene Dateien auf einem eingehängen Dateisystem anzuzeigen</message>
    <message xml:lang="pt_BR">Autenticação é requerida para listar arquivos abertos num sistema de arquivos montado</message>
    <defaults>
      <allow_any>no</allow_any>
      <allow_inactive>no</allow_inactive>
      <allow_active>yes</allow_active>
    </defaults>
  </action>
  <action id="org.freedesktop.udisks.filesystem-lsof-system-internal">
    <description>List open files on a system-internal device</description>
    <description xml:lang="da">Vis åbne filer på en intern enhed</description>
    <description xml:lang="de">Offene Dateien auf einem eingebauten Gerät anzeigen</description>
    <description xml:lang="pt_BR">Listar arquivos abertos num dispositivo interno</description>
    <message>Authentication is required to list open files on a mounted file system</message>
    <message xml:lang="da">Autorisering er påkrævet for at liste åbne filer</message>
    <message xml:lang="de">Zugriffsrechte werden benötigt um offene Dateien auf einem eingehängen Dateisystem anzuzeigen</message>
    <message xml:lang="pt_BR">Autenticação é requerida para listar arquivos abertos num sistema de arquivos montado</message>
    <defaults>
      <allow_any>no</allow_any>
      <allow_inactive>no</allow_inactive>
      <allow_active>auth_admin_keep</allow_active>
    </defaults>
  </action>
  <action id="org.freedesktop.udisks.drive-eject">
    <description>Eject media from a device</description>
    <description xml:lang="de">Medium aus Gerät auswerfen</description>
    <description xml:lang="pt_BR">Ejetar mídia de um dispositivo</description>
    <message>Authentication is required to eject media from the device</message>
    <message xml:lang="da">Autorisering er påkrævet for at skubbe medie ud af en enhed</message>
    <message xml:lang="de">Zugriffsrechte werden benötigt um das Medium aus dem Gerät auszuwerfen</message>
    <message xml:lang="pt_BR">Autenticação é requerida para ejetar mídia do dispositivo</message>
    <defaults>
      <allow_any>no</allow_any>
      <allow_inactive>no</allow_inactive>
      <allow_active>yes</allow_active>
    </defaults>
  </action>
  <action id="org.freedesktop.udisks.drive-detach">
    <description>Detach a drive</description>
    <description xml:lang="de">Laufwerk trennen</description>
    <description xml:lang="pt_BR">Desanexar um disco</description>
    <message>Authentication is required to detach the drive</message>
    <message xml:lang="de">Zugriffsrechte werden benötigt um das Laufwerk zu trennen</message>
    <message xml:lang="pt_BR">Autenticação é requerida para desanexar o disco</message>
    <defaults>
      <allow_any>no</allow_any>
      <allow_inactive>no</allow_inactive>
      <allow_active>yes</allow_active>
    </defaults>
  </action>
  <action id="org.freedesktop.udisks.change">
    <description>Modify a device</description>
    <description xml:lang="da">Modificér en enhed</description>
    <description xml:lang="de">Gerät ändern</description>
    <description xml:lang="pt_BR">Modificar um dispositivo</description>
    <message>Authentication is required to modify the device</message>
    <message xml:lang="da">Autorisering er påkrævet for at ændre en enhed</message>
    <message xml:lang="de">Zugriffsrechte werden benötigt um das Gerät zu ändern</message>
    <message xml:lang="pt_BR">Autenticação é requerida para modificar o dispositivo</message>
    <defaults>
      <allow_any>no</allow_any>
      <allow_inactive>no</allow_inactive>
      <allow_active>yes</allow_active>
    </defaults>
  </action>
  <action id="org.freedesktop.udisks.change-system-internal">
    <description>Modify a system-internal device</description>
    <description xml:lang="da">Modificér en intern enhed</description>
    <description xml:lang="de">Eingebautes Gerät ändern</description>
    <description xml:lang="pt_BR">Modificar um dispositivo interno</description>
    <message>Authentication is required to modify the device</message>
    <message xml:lang="da">Autorisering er påkrævet for at ændre en enhed</message>
    <message xml:lang="de">Zugriffsrechte werden benötigt um das Gerät zu ändern</message>
    <message xml:lang="pt_BR">Autenticação é requerida para modificar o dispositivo</message>
    <defaults>
      <allow_any>no</allow_any>
      <allow_inactive>no</allow_inactive>
      <allow_active>auth_admin_keep</allow_active>
    </defaults>
  </action>
  <action id="org.freedesktop.udisks.drive-ata-smart-refresh">
    <description>Refresh ATA SMART data</description>
    <description xml:lang="da">Læs ATA SMART data</description>
    <description xml:lang="de">ATA-SMART-Daten aktualisieren</description>
    <description xml:lang="pt_BR">Atualizar dados ATA SMART</description>
    <message>Authentication is required to refresh ATA SMART data</message>
    <message xml:lang="da">Autorisering er påkrævet for at læse ATA SMART data</message>
    <message xml:lang="de">Zugriffsrechte werden benötigt um ATA-SMART-Daten zu aktualisieren</message>
    <message xml:lang="pt_BR">Autenticação é requerida para atualizar os dados ATA SMART</message>
    <defaults>
      <allow_any>no</allow_any>
      <allow_inactive>no</allow_inactive>
      <allow_active>yes</allow_active>
    </defaults>
  </action>
  <action id="org.freedesktop.udisks.drive-ata-smart-selftest">
    <description>Run ATA SMART Self Tests</description>
    <description xml:lang="da">Kør ATA SMART selv checks</description>
    <description xml:lang="de">ATA-SMART-Selbsttest starten</description>
    <description xml:lang="pt_BR">Executar autotestes ATA SMART</description>
    <message>Authentication is required to run ATA SMART self tests</message>
    <message xml:lang="da">Autorisering er påkrævet for at køre ATA SMART selvcheck</message>
    <message xml:lang="de">Zugriffsrechte werden benötigt um ATA-SMART-Selbsttests zu starten</message>
    <message xml:lang="pt_BR">Autenticação é requerida para executar autotestes ATA SMART</message>
    <defaults>
      <allow_any>no</allow_any>
      <allow_inactive>no</allow_inactive>
      <allow_active>auth_admin</allow_active>
    </defaults>
  </action>
  <action id="org.freedesktop.udisks.drive-ata-smart-retrieve-historical-data">
    <description>Retrieve historical ATA SMART data</description>
    <description xml:lang="da">Hent historisk ATA SMART data</description>
    <description xml:lang="de">Historische ATA-SMART-Daten holen</description>
    <description xml:lang="pt_BR">Recuperar histórico de dados ATA SMART</description>
    <message>Authentication is required to retrieve historical ATA SMART data</message>
    <message xml:lang="da">Autorisering er påkrævet for at hente historisk ATA SMART data</message>
    <message xml:lang="de">Zugriffsrechte werden benötigt um historische ATA-SMART-Daten zu holen</message>
    <message xml:lang="pt_BR">Autenticação é requerida para recuperar o histórico de dados ATA SMART</message>
    <defaults>
      <allow_any>no</allow_any>
      <allow_inactive>no</allow_inactive>
      <allow_active>yes</allow_active>
    </defaults>
  </action>
  <action id="org.freedesktop.udisks.luks-unlock">
    <description>Unlock an encrypted device</description>
    <description xml:lang="da">Åbn en krypteret enhed</description>
    <description xml:lang="de">Verschlüsseltes Gerät entsperren</description>
    <description xml:lang="pt_BR">Desbloquear um dispositivo criptografado</description>
    <message>Authentication is required to unlock an encrypted device</message>
    <message xml:lang="da">Autorisering er påkrævet for at åbne en krypteret enhed</message>
    <message xml:lang="de">Zugriffsrechte werden benötigt um ein verschlüsseltes Gerät zu entsperren</message>
    <message xml:lang="pt_BR">Autenticação é requerida para desbloquear um dispositivo criptografado</message>
    <defaults>
      <allow_any>no</allow_any>
      <allow_inactive>no</allow_inactive>
      <allow_active>yes</allow_active>
    </defaults>
  </action>
  <action id="org.freedesktop.udisks.luks-lock-others">
    <description>Lock an encrypted device unlocked by another user</description>
    <description xml:lang="da">Lås en krypteret enhed åbnet af en anden bruger</description>
    <description xml:lang="de">Verschlüsseltes Gerät eines anderen Benutzers sperren</description>
    <description xml:lang="pt_BR">Bloquear um dispositivo criptografado desbloqueado por um outro usuário</description>
    <message>Authentication is required to lock an encrypted device unlocked by another user</message>
    <message xml:lang="da">Autorisering er påkrævet for at låse en krypteret enhed åbnet af en anden bruger</message>
    <message xml:lang="de">Zugriffsrechte werden benötigt um ein verschlüsseltes Gerät zu sperren, das ein anderer Benutzer entsperrt hat</message>
    <message xml:lang="pt_BR">Autenticação é requerida para bloquear um dispositivo criptografado desbloqueado por um outro usuário</message>
    <defaults>
      <allow_any>no</allow_any>
      <allow_inactive>no</allow_inactive>
      <allow_active>auth_admin</allow_active>
    </defaults>
  </action>
  <action id="org.freedesktop.udisks.linux-md">
    <description>Configure Linux Software RAID</description>
    <description xml:lang="da">Konfigurér Software RAID</description>
    <description xml:lang="de">Linux Software-RAID konfigurieren</description>
    <description xml:lang="pt_BR">Configurar RAID por software Linux</description>
    <message>Authentication is required to configure Linux Software RAID devices</message>
    <message xml:lang="da">Autorisering er påkrævet for at konfigurere RAID enheder</message>
    <message xml:lang="de">Zugriffsrechte werden benötigt um Linux Software-RAID-Geräte zu konfigurieren</message>
    <message xml:lang="pt_BR">Autenticação é requerida para configurar dispositivos de RAID por software Linux</message>
    <defaults>
      <allow_any>no</allow_any>
      <allow_inactive>no</allow_inactive>
      <allow_active>auth_admin_keep</allow_active>
    </defaults>
  </action>
  <action id="org.freedesktop.udisks.linux-lvm2">
    <description>Configure Linux LVM2</description>
    <description xml:lang="pt_BR">Configurar LVM2 Linux</description>
    <message>Authentication is required to configure Linux LVM2</message>
    <message xml:lang="pt_BR">Autenticação é requerida para configurar LVM2 Linux</message>
    <defaults>
      <allow_any>no</allow_any>
      <allow_inactive>no</allow_inactive>
      <allow_active>auth_admin_keep</allow_active>
    </defaults>
  </action>
  <action id="org.freedesktop.udisks.cancel-job-others">
    <description>Cancel a job initiated by another user</description>
    <description xml:lang="da">Afbryd job påbegyndt af en anden bruger</description>
    <description xml:lang="de">Auftrag eines anderen Benutzers abbrechen</description>
    <description xml:lang="pt_BR">Cancelar uma tarefa iniciada por um outro usuário</description>
    <message>Authentication is required to cancel a job initiated by another user</message>
    <message xml:lang="da">Autorisering er påkrævet for at afbryde et job påbegyndt af en anden bruger</message>
    <message xml:lang="de">Zugriffsrechte werden benötigt um einen Auftrag eines anderen Benutzers abzubrechen</message>
    <message xml:lang="pt_BR">Autenticação é requerida para cancelar uma tarefa iniciada por um outro usuário</message>
    <defaults>
      <allow_any>no</allow_any>
      <allow_inactive>no</allow_inactive>
      <allow_active>auth_admin</allow_active>
    </defaults>
  </action>
  <action id="org.freedesktop.udisks.inhibit-polling">
    <description>Inhibit media detection</description>
    <description xml:lang="da">Undertryk medie detektion</description>
    <description xml:lang="de">Medium-Erkennung unterdrücken</description>
    <description xml:lang="pt_BR">Inibir detecção de mídia</description>
    <message>Authentication is required to inhibit media detection</message>
    <message xml:lang="da">Autorisering er påkrævet for at undertrykke medie detektion</message>
    <message xml:lang="de">Zugriffsrechte werden benötigt um Mediumerkennung zu unterdrücken</message>
    <message xml:lang="pt_BR">Autenticação é requerida para inibir detecção de mídia</message>
    <defaults>
      <allow_any>no</allow_any>
      <allow_inactive>no</allow_inactive>
      <allow_active>yes</allow_active>
    </defaults>
  </action>
  <action id="org.freedesktop.udisks.drive-set-spindown">
    <description>Set drive spindown timeout</description>
    <description xml:lang="de">Laufwerks-Zeitabschaltung setzen</description>
    <description xml:lang="pt_BR">Definir o intervalo para desaceleração do disco</description>
    <message>Authentication is required to configure drive spindown timeout</message>
    <message xml:lang="de">Zugriffsrechte werden benötigt um die Laufwerks-Zeitabschaltung zu konfigurieren</message>
    <message xml:lang="pt_BR">Autenticação é requerida para configurar o intervalo para desaceleração do disco</message>
    <defaults>
      <allow_any>no</allow_any>
      <allow_inactive>no</allow_inactive>
      <allow_active>yes</allow_active>
    </defaults>
  </action>

 

 

 

 

 

 

 

Oh great, XML. I love XML files – not!

And now you can see where the pkaction command gets all those additional actions from – they’re all defined within the XML files stored in /usr/share/polkit-1/actions .

Let’s look at how one particular udisks action is defined;

 

 

  <action id="org.freedesktop.udisks.drive-eject">
    <description>Eject media from a device</description>
    <description xml:lang="de">Medium aus Gerät auswerfen</description>
    <description xml:lang="pt_BR">Ejetar mídia de um dispositivo</description>
    <message>Authentication is required to eject media from the device</message>
    <message xml:lang="da">Autorisering er påkrævet for at skubbe medie ud af en enhed</message>
    <message xml:lang="de">Zugriffsrechte werden benötigt um das Medium aus dem Gerät auszuwerfen</message>
    <message xml:lang="pt_BR">Autenticação é requerida para ejetar mídia do dispositivo</message>
    <defaults>
      <allow_any>no</allow_any>
      <allow_inactive>no</allow_inactive>
      <allow_active>yes</allow_active>
    </defaults>
  </action>

 

Obviously, this defines how your system will handle a request to eject a disk.

Observe the 3 actions I hilighted in red, named allow_any , allow_inactive , and allow_active .

And remember what I said earlier about how PolicyKit defines what ACTIVE and INACTIVE sessions are.

Now, put the two together, and looking at the action for ejecting a disk, and you will see that your system by default does not give remote (“inactive”) sessions permission to eject a disc from the system’s drive – and that’s why users logging in via RDP can’t do the nice convenient things that local users can get to do.

So by now you’ve figured out what you need to do, to get RDP sessions to do the stuff you’re used to doing on your local desktop – yes, you need to alter each action you want RDP sessions to have permission to perform, such that <allow_inactive>no</allow_inactive> , is changed to <allow_inactive>yes</allow_inactive> , for each action defined.

Now, BE CAREFUL what action you edit, and what permission you give them.

There are a number of possible permissions for each defnied action – here’s a snippet from the man page of polkit(8);

 

           Each of the allow_any, allow_inactive and allow_active elements can contain the following values:
           no
               Not authorized.
           yes
               Authorized.
           auth_self
               Authentication by the owner of the session that the client originates from is required.
           auth_admin
               Authentication by an administrative user is required.
           auth_self_keep
               Like auth_self but the authorization is kept for a brief period.
           auth_admin_keep
               Like auth_admin but the authorization is kept for a brief period.
In other words, if you run your own Linux system – whether it’s a small laptop or PC in your home, or a huge pulsating server in some company – YOU ARE THE SYSTEM ADMINISTRATOR for that system – and as such, deciding what you give authorization to, is up to you.
As a general guideline, I recommend that you see what permission has been granted in the <allow_active> part of each action, and use that same setting in the <allow_inactive> part, for each action you wish to give remote/RDP users permission to do.
For example, lets look at this action;
<action id="org.freedesktop.udisks.linux-lvm2">
    <description>Configure Linux LVM2</description>
    <description xml:lang="pt_BR">Configurar LVM2 Linux</description>
    <message>Authentication is required to configure Linux LVM2</message>
    <message xml:lang="pt_BR">Autenticação é requerida para configurar LVM2 Linux</message>
    <defaults>
      <allow_any>no</allow_any>
      <allow_inactive>no</allow_inactive>
      <allow_active>auth_admin_keep</allow_active>
    </defaults>
  </action>
At the moment, even if you logged into a system with this configuration as a user with Administrator rights, via RDP, you would not be able to configure LVM2 via that RDP session. It wouldn;’t work, then you’d probably write a “THIS AIN’T WORKING!!111!” reply to my article on how to install X11rdp :)
See how the allow_active entry contains auth_admin_keep ?
That’s what you should change the allow_inactive entry to. If you changed that “no” to a “yes” – you just gave carte blanche access to ALL “inactive” (read “remote” or RDP) user sessions to be able to tinker with LVM2 on that system.
Now you know why I removed the experimental PolicyKit rules generator from my RDPsesconfig utility – that used a bludgeon approach and basically turned all those “no” entries in allow_inactive , to “yes”, then wrote the rules file into a different directory which overrides the default system policies. Luckilly, that only gave users in the “admin” group such access – and luckilly, not all Distros have a group called “admin”.
So, yes, for now it’s up to YOU, Mr System Admin, the Boss, the Guy In Charge of the system, to decide what your RDP users get to do to your system, on their RDP session. :)
For additional information, look at the polkit man page, where it explains in dry, crusty detail, how this all works.
I am considering writing a utility in Python to provide a nice GUI method of editing these policies.
I hope this little primer has helped you.

 

VN:F [1.9.22_1171]
Rate This Article
Rating: 9.7/10 (21 votes cast)
A brief guide to PolicyKit, 9.7 out of 10 based on 21 ratings
Share the knowledge :
Facebook Twitter Pinterest Linkedin Digg Delicious Reddit Stumbleupon Posterous Email Snailmail

16 comments to A brief guide to PolicyKit

  • Thanks for this primer.  It's a very good quick-start to understanding the overall strucuture of policykit.  Now it's just a matter of sorting through all the options and seeing what can be set, and what should be tweaked based on requirements.

    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
    • George, precisely, you nailed it.

      And I'm beginning to make a little progress in writing my new PolicyKit editor utility in Python.

      This will be my first Python program so v1.0 will probably be full of naive methodology compared to an experienced Python programmer ;)

      Regards

      Kev.

      VN:F [1.9.22_1171]
      Rating: 0 (from 0 votes)
  • Vikash

    Hi Kevin,
    Very good article. I am a newbie using Ubuntu and am using xrdp to connect to Ubuntu 12.04 LTS desktop edition. Based on your article, I have updated org.freedesktop.udisks.policy  to allow_inactive to “yes”.
    Still I am unable to access any NTFS drives or connect to any USB drives via xrdp. I get an error “Not authorised”. This however is not the case when logging into the desktop directly. Is there something additional that needs to be done or does this applies to server editions?
    Thanks
    Vikash

    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
    • Which particular action did you modify? There are lots within that xml file :)

      VN:F [1.9.22_1171]
      Rating: 0 (from 0 votes)
      • Vikash

        I have update the following all to "yes":

        Mount a device
        Mount a system-internal device
        Check file system on a device
        Check file system of a system-internal device
        Detach a drive

        Thanks
         

        VA:F [1.9.22_1171]
        Rating: 0 (from 0 votes)
        • I'll have a look into that – it may be you need to set additional permissions – I don't know which particular set is required to be able to mount an NTFS filesystem – there's no real documentation on HOW distros are configuring their systems.

          Also, are you sure you just want to set all that to "yes" ? You should really set them to whatever their <allow_active> counterparts are set to. "yes" would give ALL remote users free permission for that action. Just sayin'

          VN:F [1.9.22_1171]
          Rating: 0 (from 0 votes)
  • sm

    Hi,
    I'd like to recommend something different from the approach you're taking.  While this is less of a chainsaw approach than what you suggested about allowing all in admin group full access (Don't know what you suggested, but I think i know what you did, having to do with altering polkit behavior given the outcome was a blanket "yes" to everything).  You know, you weren't totally wrong with that approach.  You can be far more granular in your permissions and overrides to the policydkit actions in /usr/share/polkit-1/actions by instituting specific overrides in the folders within /etc/polkit-1/localauthority/ . 
    Here's an example I've used before:  You can do stuff like "for NetworkManager utility, allow all users in "ADMIN" group to make changes with admin auth, but not user xyz:
    In /etc/polkit-1/localauthority/30-site.d/netmanager.pkla:
    Identity=unix-group:admin
    Action=org.freedesktop.NetworkManager.network-control;org.freedesktop.NetworkManager.settings.modify.own;org.freedesktop.NetworkManager.use-user-connections
    ResultAny=yes
    ResultInactive=auth_admin
    ResultActive=yes
    And in /etc/polkit-1/localauthority/60-local.d/netmanager.pkla:
    Identity=unix-user:xyz
    Action=org.freedesktop.NetworkManager.network-control;org.freedesktop.NetworkManager.settings.modify.own;org.freedesktop.NetworkManager.use-user-connections
    ResultAny=no
    ResultInactive=no
    ResultActive=no
    /SM

    VA:F [1.9.22_1171]
    Rating: +1 (from 1 vote)
  • Hi.
    I found that editing the original polkit-1 files in /usr/share/polkit-1/actions folder resulted in being overwritten. So I folowed SM's lead to prevent any of my overridden policies from being wiped out.
    In order to be able to mount/unmount local partitions via remote desktop (RDP, NX, etc) I needed to create a policy for these actions : org.freedesktop.udisks.filesystem-mount;org.freedesktop.udisks.filesystem-mount-system-internal.
    From a terminal I ssh'd into the remote machine and then ran "sudo nano /etc/polkit-1/localauthority/50-local.d/udisks.pkla". I then added these lines to the file:
    [Allow adm group users to mount and unmount local disks]
    Identity=unix-group:adm
    Action=org.freedesktop.udisks.filesystem-mount;org.freedesktop.udisks.filesystem-mount-system-internal
    ResultAny=yes
    ResultInactive=auth_admin
    ResultActive=yes
    Saved the file and logged out. Then logged in to the remote machine via NX and mounted drives via Nautilus and the command line using "udisks" with no problems.
    Hope this helps someone.
    Priyend

    VA:F [1.9.22_1171]
    Rating: +1 (from 1 vote)
  • Source

    I’ve modified the policies correctly to allow remote updates, upgrades, installations through synaptic, packagekit, and pkexec. I utilized /usr/share/polkit-1/actions/ and modified the following policies.

    org.freedesktop.packagekit.policy
    org.freedesktop.packagekit.cancel-foreign no:auth_admin_keep:auth_admin_keep
    org.freedesktop.packagekit.package-install no:auth_admin_keep:auth_admin_keep
    org.freedesktop.packagekit.package-install-untrusted no:auth_admin_keep:auth_admin_keep
    org.freedesktop.packagekit.system-trust-signing-key no:auth_admin:auth_admin
    org.freedesktop.packagekit.package-eula-accept no:yes:yes
    org.freedesktop.packagekit.package-remove no:auth_admin_keep:auth_admin_keep
    org.freedesktop.packagekit.system-update no:yes:yes
    org.freedesktop.packagekit.system-rollback no:auth_admin:auth_admin
    org.freedesktop.packagekit.system-sources-configure no:auth_admin_keep:auth_admin_keep
    org.freedesktop.packagekit.system-sources-refresh no:yes:yes
    org.freedesktop.packagekit.system-network-proxy-configure no:yes:yes
    org.freedesktop.packagekit.system-change-install-root no:auth_admin_keep:auth_admin_keep
    org.freedesktop.packagekit.device-rebind no:auth_admin_keep:auth_admin_keep
    org.freedesktop.packagekit.upgrade-system no:auth_admin:auth_admin

    org.freedesktop.policykit.policy
    org.freedesktop.policykit.exec auth_admin:auth_admin:auth_admin
    org.freedesktop.policykit.lockdown auth_admin:auth_admin:auth_admin

    org.freedesktop.consolekit.policy
    org.freedesktop.consolekit.system.stop no:yes:yes
    org.freedesktop.consolekit.system.stop-multiple-users no:auth_admin_keep:auth_admin_keep
    org.freedesktop.consolekit.system.restart no:yes:yes
    org.freedesktop.consolekit.system.restart-multiple-users no:auth_admin_keep:auth_admin_keep

    After modifying these policies, I’m still not able to access Synaptic remotely. Am I modifying the wrong policies?

    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
  • Buddy Butterfly

    Hi,

    basically replacing all allow_inactive with the values of the allow_active is a one liner when you use xmlstarlet.
    Just install xmlstarlet (via standard repositoriy in Ubuntu, for example). Then changing all values is nothing more than (example):

    xmlstarlet ed -u “//action/defaults/allow_inactive” -x “../allow_active/text()” org.freedesktop.udisks.policy

    Creating a littel script with feeding all files and piping the result to a separate directory I leave for the precious user ;-)

    Cheers,
    Matt

    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
    • furiannn

      Hi, thanks for this suggestion, anyhow I get a bash error when I am trying the above.

      bash: syntax error near unexpected token `(‘

      Any idea what this means?

      VA:F [1.9.22_1171]
      Rating: 0 (from 0 votes)
  • frank trezza

    Tried this under Kali linux, debian based. I went through all the policy files and essentially changed the allow inactive text in every file to match the allow active text, then when RDPing in I get an error “Oh no, something has gone wrong and the system cannot recover” if I try to use Root, if I use a local admin account I can connect but many programs still don’t work right, and windows fail to draw and give errors. Any advice>

    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
    • Hi Frank,

      I’d have to install Kali and have a look at it in order to try to help. At this moment though I’m lacking for time – hence the lack of new articles of late (apart from updating x11rdp-o-matic).

      I’m wondering though if the PolicyKit of today is different from the PolicyKit of 2 years ago, which is when I first published this article – especially since it seems systemd now seems to be the init du jour these days – no idea if Kali uses systemd in its current version either.

      Sorry I can’t be much more helpful. If or when I get the time (hah!) I’ll start writing more articles again. There’s a project I’ve been working on for the last 8 months or so which has almost come to fruition – perhaps after that’s out in the wild I’ll have more time to get back to researching and writing useful stuff, even revisiting PolicyKit.

      Regards

      VN:F [1.9.22_1171]
      Rating: 0 (from 0 votes)
  • […] to some research from here as a point of reference as to where I might find these policykit […]

  • […] to some research from here as a point of reference as to where I might find these policykit […]

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>