Skip to content

Instantly share code, notes, and snippets.

@ASISBusiness

ASISBusiness/_Example polkit rules_.md

Forked from grawity/_Example polkit rules_.md
Created June 30, 2024 22:54
Show Gist options
  • Save ASISBusiness/c298cbe59ce06f77b7bb415c4a3d5d3a to your computer and use it in GitHub Desktop.
Save ASISBusiness/c298cbe59ce06f77b7bb415c4a3d5d3a to your computer and use it in GitHub Desktop.
Download ZIP
Raw
_Example polkit rules_.md

These are only examples, for a few very common actions. You are expected to write your own rules for the rest. The syntax is regular JavaScript, but see the polkit(8) manpage for the object structure and available API. These examples are for polkit versions 106 and later, with the JS interpreter. They won't work with Debian's polkit v105.

  • If you don't know the action name, run pkaction:

    pkaction | grep cups

  • The possible results are YES, AUTH_SELF(_KEEP), AUTH_ADMIN(_KEEP), NO. Returning a result is final. Returning null will continue checking other rules.

  • Put your rules in /etc/polkit-1/rules.d/*.rules. (You can check everything in one giant addRule, or you can have a separate file and separate addRule for each program; it doesn't matter.)

  • To test your rules, use pkcheck:

    pkcheck -u -p $$ -a org.freedesktop.packagekit.upgrade-system
Raw
networkmanager-wheel-noauth.js
/* Copy this to /etc/polkit-1/rules.d/80-networkmanager-wheel-without-authentication.rules */
polkit.addRule(function(action, subject) {
if (/^org\.freedesktop\.NetworkManager\./.test(action.id) &&
subject.local && subject.active && subject.isInGroup("wheel"))
{
return polkit.Result.YES;
}
});
Raw
packagekit-restrict.js
/* Copy this to /etc/polkit-1/rules.d/packagekit-restrict.rules */
polkit.addRule(function(action, subject) {
if (/^org\.freedesktop\.packagekit\./.test(action.id)) {
if (subject.user === "fred" || subject.isInGroup("wheel")) {
return polkit.Result.YES;
} else {
return polkit.Result.AUTH_ADMIN_KEEP;
}
}
});
Raw
systemd-allow-service.js
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.systemd1.manage-units" &&
action.lookup("unit") == "hybrid.service" &&
subject.user == "michael")
{
return polkit.Result.YES;
}
})
Raw
udisks1-avoid-consolekit.js
/* Copy this to /etc/polkit-1/rules.d/udisks-no-consolekit.rules */
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.udisks.filesystem-mount") {
if (subject.isInGroup("wheel"))
return polkit.Result.YES;
else
return polkit.Result.AUTH_ADMIN_KEEP;
} else if (/^org\.freedesktop\.udisks\./.test(action.id)) {
return polkit.Result.AUTH_ADMIN_KEEP;
}
});
Raw
udisks1-wheel-is-god.js
/* Copy this to /etc/polkit-1/rules.d/always-allow-wheel.rules */
polkit.addRule(function(action, subject) {
if (/^org\.freedesktop\.udisks\./.test(action.id)
&& subject.isInGroup("wheel"))
{
return polkit.Result.YES;
}
});
Raw
udisks2-allow-mount-internal.js
/* Copy this to /etc/polkit-1/rules.d/allow-mount-internal.rules */
polkit.addRule(function(action, subject) {
if ((action.id == "org.freedesktop.udisks2.filesystem-mount-system" ||
action.id == "org.freedesktop.udisks.filesystem-mount-system-internal") &&
subject.local && subject.active && subject.isInGroup("users"))
{
return polkit.Result.YES;
}
});
@ASISBusiness
Copy link
Author

These are only examples, for a few very common actions. You are expected to write your own rules for the rest. The syntax is regular JavaScript, but see the polkit(8) manpage for the object structure and available API. These examples are for polkit versions 106 and later, with the JS interpreter. They won't work with Debian's polkit v105.

  • If you don't know the action name, run pkaction:

    pkaction | grep cups

  • The possible results are YES, AUTH_SELF(_KEEP), AUTH_ADMIN(_KEEP), NO. Returning a result is final. Returning null will continue checking other rules.

  • Put your rules in /etc/polkit-1/rules.d/*.rules. (You can check everything in one giant addRule, or you can have a separate file and separate addRule for each program; it doesn't matter.)

  • To test your rules, use pkcheck:

    pkcheck -u -p $$ -a org.freedesktop.packagekit.upgrade-system

@ASISBusiness
Copy link
Author

These are only examples, for a few very common actions. You are expected to write your own rules for the rest. The syntax is regular JavaScript, but see the polkit(8) manpage for the object structure and available API. These examples are for polkit versions 106 and later, with the JS interpreter. They won't work with Debian's polkit v105.

  • If you don't know the action name, run pkaction: 
    pkaction | grep cups
  • The possible results are YES, AUTH_SELF(_KEEP), AUTH_ADMIN(_KEEP), NO. Returning a result is final. Returning null will continue checking other rules.
  • Put your rules in /etc/polkit-1/rules.d/*.rules. (You can check everything in one giant addRule, or you can have a separate file and separate addRule for each program; it doesn't matter.)
  • To test your rules, use pkcheck: 
    pkcheck -u -p $$ -a org.freedesktop.packagekit.upgrade-system

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment