Polkit: Difference between revisions

(6 intermediate revisions by 3 users not shown)

Line 5:

== Enable polkit ==

Polkit is disabled by default. If you wish to enable it, you can set <code>security.polkit.enable</code> to true.

Polkit is disabled by default. If you wish to enable it, you can set <code>security.polkit.enable</code> to true. (However, if you are running any one of the desktop environments, you are likely to have polkit enabled as a dependency.)

== Reboot/poweroff for unprivileged users ==

== Writing rules ==

The Polkit rule language is described at https://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html#polkit-rules. It is really just JavaScript with an API.

On NixOS, Polkit uses [https://duktape.org/ Duktape] as its JavaScript runtime. Keep that in mind when you try to write newfangled code.

The rules you write, together with any rule generated by <code>security.polkit</code>, is stored at <code>/etc/polkit-1/rules.d/10-nixos.rules</code> for the current running generation.

=== Reboot/poweroff for unprivileged users ===

With the following rule, we can grant the permissions <code>reboot</code> and <code>poweroff</code> a machine to users in the <code>

Line 16:

Line 23:

{{file|/etc/nixos/configuration.nix|nix|<nowiki>

security.polkit.extraConfig = ''

polkit.addRule(function(action, subject) {

polkit.addRule(function (action, subject) {

if (

subject.isInGroup("users")

subject.isInGroup("users") &&

&& (

[

~~action.id ==~~ "org.freedesktop.login1.reboot" ||

"org.freedesktop.login1.reboot",

~~action.id ==~~ "org.freedesktop.login1.reboot-multiple-sessions" ||

"org.freedesktop.login1.reboot-multiple-sessions",

~~action.id ==~~ "org.freedesktop.login1.power-off" ||

"org.freedesktop.login1.power-off",

~~action.id ==~~ "org.freedesktop.login1.power-off-multiple-sessions"

"org.freedesktop.login1.power-off-multiple-sessions",

)

].indexOf(action.id) !== -1

)

) {

{

return polkit.Result.YES;

}

Line 33:

Line 39:

</nowiki>}}

(The ~~above~~ is ~~a PolKit rule~~, ~~which is based on JavaScript~~. ~~See https:~~//~~www~~.~~freedesktop~~.~~org/software/~~polkit~~/docs/latest/~~polkit.8.~~html#~~polkit~~-rules for more information on~~ the ~~language~~.)

=== No password for wheel ===

The following rule is the analogue of NOPASSWD:ALL in [[sudo]], in that wheel users do not need to authenticate again when performing ''any'' action.

{{file|/etc/nixos/configuration.nix|nix|<nowiki>

security.polkit.extraConfig = ''

polkit.addRule(function(action, subject) {

if (subject.isInGroup("wheel"))

return polkit.Result.YES;

});

'';

</nowiki>}}

(This does ''not'' take into account the <code>security.polkit.adminIdentities</code> setting.)

== Authentication agents ==

Line 43:

Line 61:

Alternatively, you can start it on login by creating a systemd user service:

=== Using NixOS ===

systemd ~~= {~~

systemd.user.services.polkit-gnome-authentication-agent-1 = {

user.services.polkit-gnome-authentication-agent-1 = {

description = "polkit-gnome-authentication-agent-1";

wantedBy = [ "graphical-session.target" ];

wants = [ "graphical-session.target" ];

after = [ "graphical-session.target" ];

serviceConfig = {

Type = "simple";

ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1";

Restart = "on-failure";

RestartSec = 1;

TimeoutStopSec = 10;

};

</syntaxhighlight>

Another option is <code>lxqt.lxqt-policykit</code>, which can be launched on login through the command <code>lxqt-policykit-agent</code> on e.g. Hyprland.

=== Using Home Manager ===

systemd.user.services.polkit-gnome-authentication-agent-1 = {

Unit = {

Description = "polkit-gnome-authentication-agent-1";

Wants = [ "graphical-session.target" ];

After = [ "graphical-session.target" ];

};

Install = {

WantedBy = [ "graphical-session.target" ];

};

Service = {

Type = "simple";

ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1";

Restart = "on-failure";

RestartSec = 1;

TimeoutStopSec = 10;

};

</syntaxhighlight>Another option is <code>lxqt.lxqt-policykit</code>, which can be launched on login through the command <code>lxqt-policykit-agent</code> on e.g. Hyprland.

== Start the authentication agent in dwm ==

Line 76:

Line 112:

</syntaxhighlight>

Use this method, you won't need to change the codes even <code>mate.mate-polkit</code> gets an update.

Use this method, you won't need to change the codes even if <code>mate.mate-polkit</code> gets an update.

#!/bin/sh

...

/nix/store/$(ls -la /nix/store | grep polkit-kde-agent | grep '^d' | awk '{print $9}')/libexec/polkit-kde-authentication-agent-1 &

/nix/store/$(ls -la /nix/store | grep 'polkit-kde-agent' | grep '^d' | awk '{print $9}')/libexec/polkit-kde-authentication-agent-1 &

...

</syntaxhighlight>

The same but for <code>polkit-kde-agent</code>

The same but for <code>polkit-kde-agent</code>.

@@ Line 5: / Line 5: @@
 == Enable polkit ==
-Polkit is disabled by default. If you wish to enable it, you can set <code>security.polkit.enable</code> to true.
+Polkit is disabled by default. If you wish to enable it, you can set <code>security.polkit.enable</code> to true. (However, if you are running any one of the desktop environments, you are likely to have polkit enabled as a dependency.)
-== Reboot/poweroff for unprivileged users ==
+== Writing rules ==
+The Polkit rule language is described at https://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html#polkit-rules. It is really just JavaScript with an API.
+On NixOS, Polkit uses [https://duktape.org/ Duktape] as its JavaScript runtime. Keep that in mind when you try to write newfangled code.
+The rules you write, together with any rule generated by <code>security.polkit</code>, is stored at <code>/etc/polkit-1/rules.d/10-nixos.rules</code> for the current running generation.
+=== Reboot/poweroff for unprivileged users ===
 With the following rule, we can grant the permissions <code>reboot</code> and <code>poweroff</code> a machine to users in the <code>
@@ Line 16: / Line 23: @@
 {{file|/etc/nixos/configuration.nix|nix|<nowiki>
    security.polkit.extraConfig = ''
-     polkit.addRule(function(action, subject) {
+     polkit.addRule(function (action, subject) {
        if (
-         subject.isInGroup("users")
+         subject.isInGroup("users") &&
-          && (
+        [
-            action.id == "org.freedesktop.login1.reboot" ||
+          "org.freedesktop.login1.reboot",
-            action.id == "org.freedesktop.login1.reboot-multiple-sessions" ||
+          "org.freedesktop.login1.reboot-multiple-sessions",
-            action.id == "org.freedesktop.login1.power-off" ||
+          "org.freedesktop.login1.power-off",
-            action.id == "org.freedesktop.login1.power-off-multiple-sessions"
+          "org.freedesktop.login1.power-off-multiple-sessions",
-          )
+         ].indexOf(action.id) !== -1
-         )
+       ) {
-       {
          return polkit.Result.YES;
        }
@@ Line 33: / Line 39: @@
 </nowiki>}}
-(The above is a PolKit rule, which is based on JavaScript. See https://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html#polkit-rules for more information on the language.)
+=== No password for wheel ===
+The following rule is the analogue of NOPASSWD:ALL in [[sudo]], in that wheel users do not need to authenticate again when performing ''any'' action.
+{{file|/etc/nixos/configuration.nix|nix|<nowiki>
+  security.polkit.extraConfig = ''
+    polkit.addRule(function(action, subject) {
+      if (subject.isInGroup("wheel"))
+        return polkit.Result.YES;
+    });
+  '';
+</nowiki>}}
+(This does ''not'' take into account the <code>security.polkit.adminIdentities</code> setting.)
 == Authentication agents ==
@@ Line 43: / Line 61: @@
 Alternatively, you can start it on login by creating a systemd user service:
+=== Using NixOS ===
 <syntaxhighlight lang="nix">
-systemd = {
+systemd.user.services.polkit-gnome-authentication-agent-1 = {
-  user.services.polkit-gnome-authentication-agent-1 = {
+  description = "polkit-gnome-authentication-agent-1";
-    description = "polkit-gnome-authentication-agent-1";
+  wantedBy = [ "graphical-session.target" ];
-    wantedBy = [ "graphical-session.target" ];
+  wants = [ "graphical-session.target" ];
-    wants = [ "graphical-session.target" ];
+  after = [ "graphical-session.target" ];
-    after = [ "graphical-session.target" ];
+  serviceConfig = {
-    serviceConfig = {
+    Type = "simple";
-        Type = "simple";
+    ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1";
-        ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1";
+    Restart = "on-failure";
-        Restart = "on-failure";
+    RestartSec = 1;
-        RestartSec = 1;
+    TimeoutStopSec = 10;
-        TimeoutStopSec = 10;
-      };
    };
 };
 </syntaxhighlight>
-Another option is <code>lxqt.lxqt-policykit</code>, which can be launched on login through the command <code>lxqt-policykit-agent</code> on e.g. Hyprland.
+=== Using Home Manager ===
+<syntaxhighlight lang="nix">
+systemd.user.services.polkit-gnome-authentication-agent-1 = {
+  Unit = {
+    Description = "polkit-gnome-authentication-agent-1";
+    Wants = [ "graphical-session.target" ];
+    After = [ "graphical-session.target" ];
+  };
+  Install = {
+    WantedBy = [ "graphical-session.target" ];
+  };
+  Service = {
+    Type = "simple";
+    ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1";
+    Restart = "on-failure";
+    RestartSec = 1;
+    TimeoutStopSec = 10;
+  };
+};
+</syntaxhighlight>Another option is <code>lxqt.lxqt-policykit</code>, which can be launched on login through the command <code>lxqt-policykit-agent</code> on e.g. Hyprland.
 == Start the authentication agent in dwm ==
@@ Line 76: / Line 112: @@
 </syntaxhighlight>
-Use this method, you won't need to change the codes even <code>mate.mate-polkit</code> gets an update.
+Use this method, you won't need to change the codes even if <code>mate.mate-polkit</code> gets an update.
 <syntaxhighlight lang=bash>
 #!/bin/sh
 ...
-/nix/store/$(ls -la /nix/store | grep polkit-kde-agent | grep '^d' | awk '{print $9}')/libexec/polkit-kde-authentication-agent-1 &
+/nix/store/$(ls -la /nix/store | grep 'polkit-kde-agent' | grep '^d' | awk '{print $9}')/libexec/polkit-kde-authentication-agent-1 &
 ...
 </syntaxhighlight>
-The same but for <code>polkit-kde-agent</code>
+The same but for <code>polkit-kde-agent</code>.