grawity · September 8, 2025 05:24 · Sep 8, 2025 · Feb 12, 2016 · Jan 26, 2016 · Oct 9, 2015
diff --git a/_Example polkit rules_.md b/_Example polkit rules_.md
@@ -1,8 +1,12 @@
 **These are only examples,** for a few very common actions. You are expected to write your own rules for the rest. The syntax is regular JavaScript, but see the `polkit(8)` manpage for the object structure and available API. **These examples are for polkit versions 106 and later, with the JS interpreter.** They won't work with Debian's polkit v105.
 
-  - If you don't know the action name, run `pkaction`:
+  - If you don't know the action name,  either run `pkaction` and look for anything similar:
 
         pkaction | grep cups
+        
+    ...or try to perform the actual action, cancel it, then look in your system logs:
+
+        journalctl -t polkitd -n 10 | grep action
 
   - The possible results are `YES`, `AUTH_SELF(_KEEP)`, `AUTH_ADMIN(_KEEP)`, `NO`. Returning a result is final. Returning `null` will continue checking other rules.
 

diff --git a/_Example polkit rules_.md b/_Example polkit rules_.md
@@ -1,4 +1,4 @@
-**These are only examples,** for a few very common actions. You are expected to write your own rules for the rest. The syntax is regular JavaScript, but see the `polkit(8)` manpage for the object structure and available API.
+**These are only examples,** for a few very common actions. You are expected to write your own rules for the rest. The syntax is regular JavaScript, but see the `polkit(8)` manpage for the object structure and available API. **These examples are for polkit versions 106 and later, with the JS interpreter.** They won't work with Debian's polkit v105.
 
   - If you don't know the action name, run `pkaction`:
 

diff --git a/systemd-allow-service.js b/systemd-allow-service.js
@@ -0,0 +1,8 @@
+polkit.addRule(function(action, subject) {
+    if (action.id == "org.freedesktop.systemd1.manage-units" &&
+        action.lookup("unit") == "hybrid.service" &&
+        subject.user == "michael")
+    {
+        return polkit.Result.YES;
+    }
+})
diff --git a/_Example polkit rules_.md b/_Example polkit rules_.md
@@ -1,13 +1,13 @@
-**These are only examples,** for a few very common actions. You are expected to write your own rules for the rest. See the `polkit(8)` manpage for rule syntax. (It's JavaScript.)
+**These are only examples,** for a few very common actions. You are expected to write your own rules for the rest. The syntax is regular JavaScript, but see the `polkit(8)` manpage for the object structure and available API.
 
-If you don't know the action name, run `pkaction`:
+  - If you don't know the action name, run `pkaction`:
 
-    pkaction | grep cups
+        pkaction | grep cups
 
-The possible results are `YES`, `AUTH_SELF(_KEEP)`, `AUTH_ADMIN(_KEEP)`, `NO`. Returning a result is final. Returning `null` will continue checking other rules.
+  - The possible results are `YES`, `AUTH_SELF(_KEEP)`, `AUTH_ADMIN(_KEEP)`, `NO`. Returning a result is final. Returning `null` will continue checking other rules.
 
-Put your rules in `/etc/polkit-1/rules.d/*.rules`. (You can check everything in one giant addRule, or you can have a separate file and separate addRule for each program; it doesn't matter.)
+  - Put your rules in `/etc/polkit-1/rules.d/*.rules`. (You can check everything in one giant addRule, or you can have a separate file and separate addRule for each program; it doesn't matter.)
 
-To test your rules, use `pkcheck`:
+  - To test your rules, use `pkcheck`:
 
-    pkcheck -u -p $$ -a org.freedesktop.packagekit.upgrade-system
+        pkcheck -u -p $$ -a org.freedesktop.packagekit.upgrade-system
diff --git a/_Example polkit rules_.md b/_Example polkit rules_.md
@@ -4,6 +4,8 @@ If you don't know the action name, run `pkaction`:
 
     pkaction | grep cups
 
+The possible results are `YES`, `AUTH_SELF(_KEEP)`, `AUTH_ADMIN(_KEEP)`, `NO`. Returning a result is final. Returning `null` will continue checking other rules.
+
 Put your rules in `/etc/polkit-1/rules.d/*.rules`. (You can check everything in one giant addRule, or you can have a separate file and separate addRule for each program; it doesn't matter.)
 
 To test your rules, use `pkcheck`:

diff --git a/_Example polkit rules_.md b/_Example polkit rules_.md
@@ -1,6 +1,4 @@
-**These are only examples,** for a few very common actions. You are expected to write your own rules for the rest.
-
-See the `polkit(8)` manpage for rule syntax. (It's JavaScript.)
+**These are only examples,** for a few very common actions. You are expected to write your own rules for the rest. See the `polkit(8)` manpage for rule syntax. (It's JavaScript.)
 
 If you don't know the action name, run `pkaction`:
 

diff --git a/_Example polkit rules_.md b/_Example polkit rules_.md
@@ -1,9 +1,13 @@
-Put your rules in `/etc/polkit-1/rules.d/*.rules`.
+**These are only examples,** for a few very common actions. You are expected to write your own rules for the rest.
 
 See the `polkit(8)` manpage for rule syntax. (It's JavaScript.)
 
-If you don't know the action name, run `pkaction`.
+If you don't know the action name, run `pkaction`:
 
-To test your rules, use `pkcheck`.
+    pkaction | grep cups
 
-`pkcheck -u -p $$ -a org.freedesktop.packagekit.upgrade-system`
+Put your rules in `/etc/polkit-1/rules.d/*.rules`. (You can check everything in one giant addRule, or you can have a separate file and separate addRule for each program; it doesn't matter.)
+
+To test your rules, use `pkcheck`:
+
+    pkcheck -u -p $$ -a org.freedesktop.packagekit.upgrade-system
diff --git a/networkmanager-wheel-noauth.js b/networkmanager-wheel-noauth.js
@@ -1,5 +1,4 @@
-/* Copy this to /etc/polkit-1/rules.d/80-networkmanager-wheel-without-authentication.rules
- */
+/* Copy this to /etc/polkit-1/rules.d/80-networkmanager-wheel-without-authentication.rules */
 
 polkit.addRule(function(action, subject) {
     if (/^org\.freedesktop\.NetworkManager\./.test(action.id) &&

diff --git a/packagekit-restrict.js b/packagekit-restrict.js
@@ -1,5 +1,4 @@
-/* Copy this to /etc/polkit-1/rules.d/packagekit-restrict.rules
- */
+/* Copy this to /etc/polkit-1/rules.d/packagekit-restrict.rules */
 
 polkit.addRule(function(action, subject) {
     if (/^org\.freedesktop\.packagekit\./.test(action.id)) {

diff --git a/udisks1-avoid-consolekit.js b/udisks1-avoid-consolekit.js
@@ -1,5 +1,4 @@
-/* Copy this to /etc/polkit-1/rules.d/udisks-no-consolekit.rules
- */
+/* Copy this to /etc/polkit-1/rules.d/udisks-no-consolekit.rules */
 
 polkit.addRule(function(action, subject) {
     if (action.id == "org.freedesktop.udisks.filesystem-mount") {

diff --git a/udisks1-wheel-is-god.js b/udisks1-wheel-is-god.js
@@ -1,5 +1,4 @@
-/* Copy this to /etc/polkit-1/rules.d/always-allow-wheel.rules
- */
+/* Copy this to /etc/polkit-1/rules.d/always-allow-wheel.rules */
 
 polkit.addRule(function(action, subject) {
     if (/^org\.freedesktop\.udisks\./.test(action.id)

diff --git a/udisks2-allow-mount-internal.js b/udisks2-allow-mount-internal.js
@@ -1,5 +1,4 @@
-/* Copy this to /etc/polkit-1/rules.d/allow-mount-internal.rules
- */
+/* Copy this to /etc/polkit-1/rules.d/allow-mount-internal.rules */
 
 polkit.addRule(function(action, subject) {
     if ((action.id == "org.freedesktop.udisks2.filesystem-mount-system" ||

diff --git a/networkmanager-wheel-noauth.js b/networkmanager-wheel-noauth.js
@@ -3,7 +3,8 @@
 
 polkit.addRule(function(action, subject) {
     if (/^org\.freedesktop\.NetworkManager\./.test(action.id) &&
-        subject.local && subject.active && subject.isInGroup("wheel")) {
+        subject.local && subject.active && subject.isInGroup("wheel"))
+    {
             return polkit.Result.YES;
     }
 });
diff --git a/udisks1-wheel-is-god.js b/udisks1-wheel-is-god.js
@@ -2,8 +2,9 @@
  */
 
 polkit.addRule(function(action, subject) {
-    if (/^org\.freedesktop\.udisks\./.test(action.id) && subject.isInGroup("wheel"))
+    if (/^org\.freedesktop\.udisks\./.test(action.id)
+        && subject.isInGroup("wheel"))
     {
         return polkit.Result.YES;
     }
-});
+});
diff --git a/udisks2-allow-mount-internal.js b/udisks2-allow-mount-internal.js
@@ -4,7 +4,8 @@
 polkit.addRule(function(action, subject) {
     if ((action.id == "org.freedesktop.udisks2.filesystem-mount-system" ||
          action.id == "org.freedesktop.udisks.filesystem-mount-system-internal") &&
-        subject.local && subject.active && subject.isInGroup("users")) {
+        subject.local && subject.active && subject.isInGroup("users"))
+    {
             return polkit.Result.YES;
     }
 });
diff --git a/packagekit-restrict.js b/packagekit-restrict.js
@@ -3,7 +3,7 @@
 
 polkit.addRule(function(action, subject) {
     if (/^org\.freedesktop\.packagekit\./.test(action.id)) {
-        if (subject.local && subject.active && subject.isInGroup("wheel")) {
+        if (subject.user === "fred" || subject.isInGroup("wheel")) {
             return polkit.Result.YES;
         } else {
             return polkit.Result.AUTH_ADMIN_KEEP;

diff --git a/networkmanager-wheel-noauth.js b/networkmanager-wheel-noauth.js
@@ -0,0 +1,9 @@
+/* Copy this to /etc/polkit-1/rules.d/80-networkmanager-wheel-without-authentication.rules
+ */
+
+polkit.addRule(function(action, subject) {
+    if (/^org\.freedesktop\.NetworkManager\./.test(action.id) &&
+        subject.local && subject.active && subject.isInGroup("wheel")) {
+            return polkit.Result.YES;
+    }
+});
diff --git a/udisks1-avoid-consolekit.js b/udisks1-avoid-consolekit.js
@@ -0,0 +1,13 @@
+/* Copy this to /etc/polkit-1/rules.d/udisks-no-consolekit.rules
+ */
+
+polkit.addRule(function(action, subject) {
+    if (action.id == "org.freedesktop.udisks.filesystem-mount") {
+        if (subject.isInGroup("wheel"))
+            return polkit.Result.YES;
+        else
+            return polkit.Result.AUTH_ADMIN_KEEP;
+    } else if (/^org\.freedesktop\.udisks\./.test(action.id)) {
+        return polkit.Result.AUTH_ADMIN_KEEP;
+    }
+});
diff --git a/packagekit-restrict.js b/packagekit-restrict.js
@@ -1,5 +1,5 @@
 /* Copy this to /etc/polkit-1/rules.d/packagekit-restrict.rules
-*/
+ */
 
 polkit.addRule(function(action, subject) {
     if (/^org\.freedesktop\.packagekit\./.test(action.id)) {

diff --git a/udisks1-wheel-is-god.js b/udisks1-wheel-is-god.js
@@ -1,3 +1,6 @@
+/* Copy this to /etc/polkit-1/rules.d/always-allow-wheel.rules
+ */
+
 polkit.addRule(function(action, subject) {
     if (/^org\.freedesktop\.udisks\./.test(action.id) && subject.isInGroup("wheel"))
     {

diff --git a/udisks-allow-mount-internal.js → udisks2-allow-mount-internal.js b/udisks-allow-mount-internal.js → udisks2-allow-mount-internal.js
@@ -1,5 +1,5 @@
 /* Copy this to /etc/polkit-1/rules.d/allow-mount-internal.rules
-*/
+ */
 
 polkit.addRule(function(action, subject) {
     if ((action.id == "org.freedesktop.udisks2.filesystem-mount-system" ||

diff --git a/udisks1-wheel-is-god.js b/udisks1-wheel-is-god.js
@@ -0,0 +1,6 @@
+polkit.addRule(function(action, subject) {
+    if (/^org\.freedesktop\.udisks\./.test(action.id) && subject.isInGroup("wheel"))
+    {
+        return polkit.Result.YES;
+    }
+});
diff --git a/_README_.md → _Example polkit rules_.md b/_README_.md → _Example polkit rules_.md
diff --git a/_README_.md b/_README_.md
@@ -1 +1,9 @@
-Put your rules in `/etc/polkit-1/rules.d/*.rules`. See the `polkit(8)` manpage for rule syntax.
+Put your rules in `/etc/polkit-1/rules.d/*.rules`.
+
+See the `polkit(8)` manpage for rule syntax. (It's JavaScript.)
+
+If you don't know the action name, run `pkaction`.
+
+To test your rules, use `pkcheck`.
+
+`pkcheck -u -p $$ -a org.freedesktop.packagekit.upgrade-system`
diff --git a/_README_.md b/_README_.md
@@ -1 +1 @@
-Put your rules in `/etc/polkit-1/rules.d/*.rules`.
+Put your rules in `/etc/polkit-1/rules.d/*.rules`. See the `polkit(8)` manpage for rule syntax.
diff --git a/_README_.md b/_README_.md
@@ -0,0 +1 @@
+Put your rules in `/etc/polkit-1/rules.d/*.rules`.
diff --git a/packagekit-restrict.js b/packagekit-restrict.js
@@ -0,0 +1,12 @@
+/* Copy this to /etc/polkit-1/rules.d/packagekit-restrict.rules
+*/
+
+polkit.addRule(function(action, subject) {
+    if (/^org\.freedesktop\.packagekit\./.test(action.id)) {
+        if (subject.local && subject.active && subject.isInGroup("wheel")) {
+            return polkit.Result.YES;
+        } else {
+            return polkit.Result.AUTH_ADMIN_KEEP;
+        }
+    }
+});
diff --git a/gistfile1.js b/gistfile1.js
@@ -1,8 +0,0 @@
-/*  /etc/polkit-1/rules.d/allow-mount-system.rules  */
-
-polkit.addRule(function(action, subject) {
-    if (action.id == "org.freedesktop.udisks2.filesystem-mount-system" &&
-        subject.local && subject.active && subject.isInGroup("users")) {
-            return polkit.Result.YES;
-    }
-});

diff --git a/udisks-allow-mount-internal.js b/udisks-allow-mount-internal.js
@@ -0,0 +1,10 @@
+/* Copy this to /etc/polkit-1/rules.d/allow-mount-internal.rules
+*/
+
+polkit.addRule(function(action, subject) {
+    if ((action.id == "org.freedesktop.udisks2.filesystem-mount-system" ||
+         action.id == "org.freedesktop.udisks.filesystem-mount-system-internal") &&
+        subject.local && subject.active && subject.isInGroup("users")) {
+            return polkit.Result.YES;
+    }
+});
diff --git a/gistfile1.js b/gistfile1.js
@@ -1,4 +1,4 @@
-# /etc/polkit-1/rules.d/allow-mount-system.rules
+/*  /etc/polkit-1/rules.d/allow-mount-system.rules  */
 
 polkit.addRule(function(action, subject) {
     if (action.id == "org.freedesktop.udisks2.filesystem-mount-system" &&

diff --git a/allow-shutdown-105.rule b/allow-shutdown-105.rule
@@ -1,8 +0,0 @@
-# /etc/polkit-1/localauthority/50-local.d/foo.pkla
-
-[Allow users to power off always]
-Identity=unix-group:users
-Action=org.freedesktop.login1.power-off
-ResultAny=yes
-ResultActive=yes
-ResultInactive=yes

diff --git a/allow-shutdown-107.rule b/allow-shutdown-107.rule
@@ -1,8 +0,0 @@
-# /etc/polkit-1/rules.d/foo.rules
-
-polkit.addRule(function(action, subject) {
-    if (action.id == "org.freedesktop.login1.power-off" &&
-        subject.isInGroup("users")) {
-            return polkit.Result.YES;
-    }
-});

diff --git a/gistfile1.js b/gistfile1.js
@@ -0,0 +1,8 @@
+# /etc/polkit-1/rules.d/allow-mount-system.rules
+
+polkit.addRule(function(action, subject) {
+    if (action.id == "org.freedesktop.udisks2.filesystem-mount-system" &&
+        subject.local && subject.active && subject.isInGroup("users")) {
+            return polkit.Result.YES;
+    }
+});
diff --git a/allow-shutdown-105.rule b/allow-shutdown-105.rule
@@ -1,3 +1,5 @@
+# /etc/polkit-1/localauthority/50-local.d/foo.pkla
+
 [Allow users to power off always]
 Identity=unix-group:users
 Action=org.freedesktop.login1.power-off

diff --git a/allow-shutdown-107.rule b/allow-shutdown-107.rule
@@ -1,6 +1,8 @@
+# /etc/polkit-1/rules.d/foo.rules
+
 polkit.addRule(function(action, subject) {
     if (action.id == "org.freedesktop.login1.power-off" &&
         subject.isInGroup("users")) {
             return polkit.Result.YES;
     }
-});
+});
diff --git a/allow-shutdown-107.rule b/allow-shutdown-107.rule
@@ -0,0 +1,6 @@
+polkit.addRule(function(action, subject) {
+    if (action.id == "org.freedesktop.login1.power-off" &&
+        subject.isInGroup("users")) {
+            return polkit.Result.YES;
+    }
+});
diff --git a/allow-shutdown-105.rule b/allow-shutdown-105.rule
@@ -0,0 +1,6 @@
+[Allow users to power off always]
+Identity=unix-group:users
+Action=org.freedesktop.login1.power-off
+ResultAny=yes
+ResultActive=yes
+ResultInactive=yes
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		Put your rules in `/etc/polkit-1/rules.d/*.rules`.
		Put your rules in `/etc/polkit-1/rules.d/*.rules`. See the `polkit(8)` manpage for rule syntax.
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		Put your rules in `/etc/polkit-1/rules.d/*.rules`.