Skip to content

Instantly share code, notes, and snippets.

@grawity

grawity/_Example polkit rules_.md

Last active September 8, 2025 05:24
Show Gist options
  • Save grawity/3886114 to your computer and use it in GitHub Desktop.
Save grawity/3886114 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
_Example polkit rules_.md

These are only examples, for a few very common actions. You are expected to write your own rules for the rest.

See the polkit(8) manpage for rule syntax. (It's JavaScript.)

If you don't know the action name, run pkaction:

pkaction | grep cups

Put your rules in /etc/polkit-1/rules.d/*.rules. (You can check everything in one giant addRule, or you can have a separate file and separate addRule for each program; it doesn't matter.)

To test your rules, use pkcheck:

pkcheck -u -p $$ -a org.freedesktop.packagekit.upgrade-system
Raw
networkmanager-wheel-noauth.js
/* Copy this to /etc/polkit-1/rules.d/80-networkmanager-wheel-without-authentication.rules */
polkit.addRule(function(action, subject) {
if (/^org\.freedesktop\.NetworkManager\./.test(action.id) &&
subject.local && subject.active && subject.isInGroup("wheel"))
{
return polkit.Result.YES;
}
});
Raw
packagekit-restrict.js
/* Copy this to /etc/polkit-1/rules.d/packagekit-restrict.rules */
polkit.addRule(function(action, subject) {
if (/^org\.freedesktop\.packagekit\./.test(action.id)) {
if (subject.user === "fred" || subject.isInGroup("wheel")) {
return polkit.Result.YES;
} else {
return polkit.Result.AUTH_ADMIN_KEEP;
}
}
});
Raw
udisks1-avoid-consolekit.js
/* Copy this to /etc/polkit-1/rules.d/udisks-no-consolekit.rules */
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.udisks.filesystem-mount") {
if (subject.isInGroup("wheel"))
return polkit.Result.YES;
else
return polkit.Result.AUTH_ADMIN_KEEP;
} else if (/^org\.freedesktop\.udisks\./.test(action.id)) {
return polkit.Result.AUTH_ADMIN_KEEP;
}
});
Raw
udisks1-wheel-is-god.js
/* Copy this to /etc/polkit-1/rules.d/always-allow-wheel.rules */
polkit.addRule(function(action, subject) {
if (/^org\.freedesktop\.udisks\./.test(action.id)
&& subject.isInGroup("wheel"))
{
return polkit.Result.YES;
}
});
Raw
udisks2-allow-mount-internal.js
/* Copy this to /etc/polkit-1/rules.d/allow-mount-internal.rules */
polkit.addRule(function(action, subject) {
if ((action.id == "org.freedesktop.udisks2.filesystem-mount-system" ||
action.id == "org.freedesktop.udisks.filesystem-mount-system-internal") &&
subject.local && subject.active && subject.isInGroup("users"))
{
return polkit.Result.YES;
}
});
@steve-todorov
Copy link

This is probably the most annoying thing in OpenSUSE - asking for a password for network, hdd mount, etc. Every now and then I have to search for these rules. Thanks for posting them as a gist!

@CMCDragonkai
Copy link

Where do you define how long to keep the authorisation for?

@yssmcl
Copy link

yssmcl commented Jun 24, 2017

Thank you for posting these examples!

@agners
Copy link

agners commented Sep 27, 2019

Note that AUTH_ADMIN_KEEP is kept per process, hence if another process ID is asking for the same action this will lead to a reauthentication.

@SebTM
Copy link

SebTM commented Apr 7, 2022

Is there possibility to ".test()" on a "action.lookup("XYZ")" result? or convert/use another function like indexOf on an action-lookup result?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment