SUSE Linux Enterprise Desktop 11 SP4: Chapter 9. PolicyKit

Chapter 9. PolicyKit¶

Contents

9.1. Conceptual Overview
9.2. Modifying and Setting Privileges

Abstract

PolicyKit is an application framework that acts as a negotiator between the unprivileged user session and the privileged system context. Whenever a process from the user session tries to carry out an action in the system context, PolicyKit is queried. Based on its configuration—specified in a so-called “policy”—the answer could be yes, no, or needs authentication. Unlike classical privilege authorization programs such as sudo, PolicyKit does not grant root permissions to an entire process, following the “least privilege” concept.

9.1. Conceptual Overview¶

Each existing policy has a speaking name (its identifier), which is used with the command line tools and the graphical user interface.

9.1.1. Available Policies and Supported Applications¶

At the moment, not all applications requiring privileges make use of PolicyKit. Find the most important policies available on SUSE® Linux Enterprise Desktop below, sorted into the categories where they are used.

PulseAudio

Set scheduling priorities for the PulseAudio daemon

smppd

Control dial connections

CUPS

Add, remove, edit, enable or disable printers

Backup Manager

Modify schedule

GNOME

Modify system and mandatory values with GConf

Change the system time

NetworkManager

Apply and modify connections

PolicyKit

Read and change privileges for other users

Modify defaults

PackageKit

Update and remove packages

Change and refresh repositories

Install local files

Rollback

Import repository keys

Accepting EULAs

Setting the network proxy

smppd

Controlling dial-up connections

System

Wake on LAN

Mount or unmount fixed, hotpluggable and encrypted devices

Eject and decrypt removable media

Enable or disable WLAN

Enable or disable Bluetooth

Device access

Stop, suspend, hibernate and restart the system

Undock a docking station

Change power-management settings

YaST

Change the system time and language

9.1.2. Authorization Types¶

Every time a PolicyKit-enabled process carries out a privileged operation, PolicyKit is asked whether this process is entitled to do so. PolicyKit answers according to the policy defined for this process. The answers can be yes, no, or authentication needed. By default, a policy contains implicit privileges, which automatically apply to all users. It is also possible to specify explicit privileges which apply to a specific user.

9.1.2.1. Implicit Privileges¶

Implicit privileges can be defined for any, active, and inactive sessions. An active session is the one in which you are currently working. It becomes inactive when you switch to another console for example. When setting implicit privileges to “no”, no user is authorized, whereas “yes” authorizes all users. However, in most cases it is useful to demand authentication.

A user can either authorize by authenticating as root or by authenticating as self. Both authentication methods exist in four variants:

Authentication: The user always has to authenticate.
One Shot Authentication: The authentication is bound to the instance of the program currently running. Once the program is restarted, the user is required to authenticate again.
Keep Session Authentication: The authentication dialog box offers a check button Remember authorization for this session. If checked, the authentication is valid until the user logs out.
Keep Indefinitely Authentication: The authentication dialog box offers a check button Remember authorization. If checked, the user has to authenticate only once.

9.1.2.2. Explicit Privileges¶

Explicit privileges can be granted to specific users. They can either be granted without limitations, or, when using constraints, limited to an active session and/or a local console.

It is not only possible to grant privileges to a user, a user can also be blocked. Blocked users will not be able to carry out an action requiring authorization, even though the default implicit policy allows authorization by authentication.

9.1.3. Default Privileges¶

Each application supporting PolicyKit comes with a default set of implicit policies defined by the application's developers. Those policies are the so-called “upstream defaults”. The privileges defined by the upstream defaults are not necessarily the ones that are activated by default on SUSE Linux Enterprise Desktop. SUSE Linux Enterprise Desktop comes with a predefined set of privileges that override the upstream defaults. The default policies for SUSE Linux Enterprise Desktop are defined in /etc/polkit-default-privs.standard and /etc/polkit-default-privs.restrictive. The .standard file defines privileges suitable for most desktop systems. It is active by default. The .restrictive set of privileges is designed for machines administrated centrally.

To switch between the two sets of default privileges, adjust the value of POLKIT_DEFAULT_PRIVS to either restrictive or standard in /etc/sysconfig/security. Then run the command set_polkit_default_privs as root.

Do not modify /etc/polkit-default-privs.standard nor /etc/polkit-default-privs.restrictive. In order to define your own custom set of privileges, use /etc/polkit-default-privs.local. For details, refer to Section 9.2.3.1, “Modifying Configuration Files for Implicit Privileges”.

9.2. Modifying and Setting Privileges¶

To modify implicit privileges or to set explicit ones, you can either use the graphical Authorizations tool available with GNOME or KDE, use the command line tools shipped with PolicyKit, or modify the configuration files. While the GUI and the command line tools are a good solution for making temporary changes, editing the configuration files should be the preferred way to make permanent changes.

9.2.1. Using the Graphical Authorizations Tool¶

	Using the Authorizations Tool
Authorizations is a graphical tool and therefore not installed when the respective GNOME or KDE desktop environment is not installed. In this case you need to install the package `PolicyKit-gnome` (GNOME) or `libpolkit-qt0` (KDE) in order to use the tool.

Start the Authorizations tool from a desktop environment by pressing Alt+F2 and entering polkit-gnome-authorization or polkit-kde-authorization, respectively.

Figure 9.1. The Authorizations Main Window (GNOME)¶

The Authorizations window is divided into two panes: The left-hand pane shows all policies available in a tree view, while the right-hand pane displays details for the policy selected and offers means to change it.

The KDE and GNOME Authorizations dialogs are very similar. The most noticeable difference is the location where details about the chosen policy are displayed: the GNOME dialog displays them in a dedicated Actions section on the right-hand pane. It holds the following information:

Identifier: Unique string used by PolicyKit to identify the policy.
Description: this information explaining the purpose of the policy.
Vendor: A link to the organization that has issued this policy.

The KDE dialog shows the identifier string directly in the tree view on the left-hand pane, together with a short description, which is also displayed at the top of the right-hand pane, together with the vendor link.

Alter any settings from the right-hand pane, as described below:

Implicit Authorizations

In the GNOME dialog, click Edit to choose an authorization type, as explained in Section 9.1.2.1, “Implicit Privileges”. In KDE, you can directly select the authorization types from the drop-down list.

Click Revert To Defaults to restore the system defaults.

	Restrictions of the Revert to Defaults function on SUSE Linux Enterprise Desktop
With Revert to Defaults, the Authorization tool always operates on the upstream defaults. To instead restore the defaults shipped with SUSE Linux Enterprise Desktop, refer to Section 9.2.4, “Restoring the Default Privileges”.

Explicit Authorizations

In this section you can Grant privileges to existing users or Block users. In both cases, choose a user and a Constraint. Users with a UID of less than 1000 are only shown when Show System Users is checked. To delete an authorization, choose it from the list and click Revoke.

9.2.2. Using the Command Line Tools¶

PolicyKit comes with two command line tools for changing implicit privileges and for assigning explicit privileges. Each existing policy has got a speaking, unique name with which it can be identified and which is used with the command line tools. List all available policies with the command polkit-action.

Listing and Modifying Implicit Privileges

polkit-action

When invoked with no parameters, the command polkit-action shows a list of all policies. By adding the --show-overrides option, you can list all policies that differ from the default values. To reset the privileges for a given action to the (upstream) defaults, use the option --reset-defaults ACTION. See man 1 polkit-action for more information.

	Restrictions of polkit-action on SUSE Linux Enterprise Desktop
polkit-action always operates on the upstream defaults. Therefore it cannot be used to list or restore the defaults shipped with SUSE Linux Enterprise Desktop. To do so, refer to Section 9.2.4, “Restoring the Default Privileges”.

Listing, Granting, Blocking, and Revoking Explicit Privileges

polkit-auth

To print a list of explicit privileges for a specific user, use the following command:

polkit-auth --explicit-detail --user USER

Replace USER with a valid username. If the --user option is left out, the command shows the privileges for the user that executes the command. See man 1 polkit-auth for more information.

9.2.3. Modifying Configuration Files¶

Adjusting privileges by modifying configuration files is useful when you want to deploy the same set of policies to different machines, for example to the computers of a specific team. It is possible to change implicit as well as explicit privileges by modifying configuration files.

9.2.3.1. Modifying Configuration Files for Implicit Privileges¶

SUSE Linux Enterprise Desktop ships with two sets of default authorizations, located in /etc/polkit-default-privs.standard and /etc/polkit-default-privs.restrictive. For more information, refer to Section 9.1.3, “Default Privileges”.

In order to define your custom set of privileges, use /etc/polkit-default-privs.local. Privileges defined here will always take precedence over the ones defined in the other configuration files. To define a privilege, add a line for each policy with the following format:

<privilege_identifier>     <any session>:<inactive session>:<active session>

For example:

org.freedesktop.policykit.modify-defaults     auth_admin_keep_always

For a list of all privilege identifiers, run the command polkit-action. The following values are valid for the session parameters:

yes: grant privilege
no: block
auth_self: user needs to authenticate with own password every time the privilege is requested
auth_self_keep_session: user needs to authenticate with own password once per session, privilege is granted for the whole session
auth_self_keep_always: user needs to authenticate with own password once, privilege is granted for the current and for future sessions
auth_admin: user needs to authenticate with root password every time the privilege is requested
auth_admin_keep_session: user needs to authenticate with root password once per session, privilege is granted for the whole session
auth_admin_keep_always: user needs to authenticate with root password once, privilege is granted for the current and for future sessions

After editing /etc/polkit-default-privs.local, execute set_polkit_default_privs to activate your settings.

9.2.3.2. Modifying Configuration Files for Explicit Privileges¶

Explicit privileges can be set in /etc/PolicyKit/PolicyKit.conf. This configuration file is written in XML using the PolicyKit DTD. The file that is shipped with SUSE Linux Enterprise Desktop already contains the necessary headers and the root element <config>. Place your edits inside the <config> tags.

match

Specify an action or a user. match knows two attributes, user and action, but only a single attribute is allowed. Use nested match statements to combine attributes. POSIX Extended Regular Expressions are allowed as attribute values.

user=USER: Specify one or more login names. Separate multiple names by the “|” symbol.
action=policy: Specify a policy by it's unique identifier. To get a list of all available policy identifiers use the command polkit-action.

return

Specify the answer PolicyKit will return. Takes a single attribute, result=value with one of the values listed under Section 9.2.3.1, “Modifying Configuration Files for Implicit Privileges”.

define_admin_auth

Specify users or groups allowed to authorize with their own password where normally the root password would be required. Takes the attributes user=USER or group=GROUP, but only one may be used at a time. Multiple attribute values must be separated by “|”, Extended POSIX Regular Expressions are not supported. Applies to all policies when used at the top level, or to specific policies when used within <match> statements.

Example 9.1. An example /etc/PolicyKit/PolicyKit.conf file¶

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkconfig PUBLIC "-//freedesktop//DTD PolicyKit Configuration 1.0//EN"
"http://hal.freedesktop.org/releases/PolicyKit/1.0/config.dtd">
<config version="0.1">
  <match action="org.freedesktop.packagekit.system-update">
    <match user="tux">
      <return result="yes"/>
    </match>
  </match>
  <match action="org.freedesktop.policykit.*">
    <match user="tux|wilber">
      <return result="no"/>
    </match>
  </match>
  <define_admin_auth group="administrators"/>
</config>

	The first three lines of the config file are the XML header. These lines are already present in the template file, leave them untouched.
	The XML root element must always be present. The attribute `version` is mandatory, currently the only valid value is `0.1`. Already present in the template file.
	A statement granting the user `tux` the privilege to update packages via PackageKit without having to authorize.
	Withdraw privileges for all PolicyKit-related policies from the users `tux` and `wilber`.
	This statement allows all members of the group `administrators` to authenticate with their own password whenever authentication with the `root` password would be required. Since this statement is not nested within constraining `match` statements, it applies to all policies.

9.2.4. Restoring the Default Privileges¶

SUSE Linux Enterprise Desktop comes with a predefined set of privileges that is activated by default and thus overrides the upstream defaults. For details, refer to Section 9.1.3, “Default Privileges”.

Since the graphical PolicyKit tools and the command line tools always operate on the upstream defaults, SUSE Linux Enterprise Desktop includes an additional command-line tool, set_polkit_default_privs. It resets privileges to the values defined in /etc/polkit-default-privs.*. However, the command set_polkit_default_privs will only reset policies that are set to the upstream defaults.

Procedure 9.1. Restoring the SUSE Linux Enterprise Desktop Defaults

Make sure /etc/polkit-default-privs.local does not contain any overrides of the default policies.
Custom Policy Configuration
Policies defined in /etc/polkit-default-privs.local will be applied on top of the defaults during the next step.
To reset all policies to the upstream defaults first and then apply the SUSE Linux Enterprise Desktop defaults:
```
rm -f /var/lib/PolicyKit-public/* && set_polkit_default_privs
```

	Custom Policy Configuration
Policies defined in `/etc/polkit-default-privs.local` will be applied on top of the defaults during the next step.