Polkit: Difference between revisions
imported>Tkuwill m I wrote the code by myself. |
Update syntax for example systemd unit |
||
| (20 intermediate revisions by 10 users not shown) | |||
| Line 5: | Line 5: | ||
== Enable polkit == | == Enable polkit == | ||
Polkit is disabled by default. If you wish to enable it, you can set <code>security.polkit.enable</code> to true. | Polkit is disabled by default. If you wish to enable it, you can set <code>security.polkit.enable</code> to true. (However, if you are running any one of the desktop environments, you are likely to have polkit enabled as a dependency.) | ||
== Writing rules == | |||
The Polkit rule language is described at https://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html#polkit-rules. It is really just JavaScript with an API. | |||
On NixOS, Polkit uses [https://duktape.org/ Duktape] as its JavaScript runtime. Keep that in mind when you try to write newfangled code. | |||
The rules you write, together with any rule generated by <code>security.polkit</code>, is stored at <code>/etc/polkit-1/rules.d/10-nixos.rules</code> for the current running generation. | |||
=== Reboot/poweroff for unprivileged users === | |||
With the following rule, we can grant the permissions <code>reboot</code> and <code>poweroff</code> a machine to users in the <code> | |||
users</code> group. | |||
This is useful on a multi-user machine. It may also be of particular importance when using XRDP or other similar [[Remote Desktop]] solutions. | |||
{{file|/etc/nixos/configuration.nix|nix|<nowiki> | |||
security.polkit.extraConfig = '' | |||
polkit.addRule(function (action, subject) { | |||
if ( | |||
subject.isInGroup("users") && | |||
[ | |||
"org.freedesktop.login1.reboot", | |||
"org.freedesktop.login1.reboot-multiple-sessions", | |||
"org.freedesktop.login1.power-off", | |||
"org.freedesktop.login1.power-off-multiple-sessions", | |||
].indexOf(action.id) !== -1 | |||
) { | |||
return polkit.Result.YES; | |||
} | |||
}); | |||
''; | |||
</nowiki>}} | |||
=== No password for wheel === | |||
The following rule is the analogue of NOPASSWD:ALL in [[sudo]], in that wheel users do not need to authenticate again when performing ''any'' action. | |||
{{file|/etc/nixos/configuration.nix|nix|<nowiki> | |||
security.polkit.extraConfig = '' | |||
polkit.addRule(function(action, subject) { | |||
if (subject.isInGroup("wheel")) | |||
return polkit.Result.YES; | |||
}); | |||
''; | |||
</nowiki>}} | |||
(This does ''not'' take into account the <code>security.polkit.adminIdentities</code> setting.) | |||
== Authentication agents == | == Authentication agents == | ||
| Line 15: | Line 61: | ||
Alternatively, you can start it on login by creating a systemd user service: | Alternatively, you can start it on login by creating a systemd user service: | ||
=== Using NixOS === | |||
<syntaxhighlight lang="nix"> | <syntaxhighlight lang="nix"> | ||
systemd | systemd.user.services.polkit-gnome-authentication-agent-1 = { | ||
description = "polkit-gnome-authentication-agent-1"; | |||
wantedBy = [ "graphical-session.target" ]; | |||
wants = [ "graphical-session.target" ]; | |||
after = [ "graphical-session.target" ]; | |||
serviceConfig = { | |||
Type = "simple"; | |||
ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1"; | |||
Restart = "on-failure"; | |||
RestartSec = 1; | |||
TimeoutStopSec = 10; | |||
}; | }; | ||
}; | }; | ||
</syntaxhighlight> | </syntaxhighlight> | ||
=== Using Home Manager === | |||
<syntaxhighlight lang="nix"> | |||
systemd.user.services.polkit-gnome-authentication-agent-1 = { | |||
Unit = { | |||
Description = "polkit-gnome-authentication-agent-1"; | |||
Wants = [ "graphical-session.target" ]; | |||
After = [ "graphical-session.target" ]; | |||
}; | |||
Install = { | |||
WantedBy = [ "graphical-session.target" ]; | |||
}; | |||
Service = { | |||
Type = "simple"; | |||
ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1"; | |||
Restart = "on-failure"; | |||
RestartSec = 1; | |||
TimeoutStopSec = 10; | |||
}; | |||
}; | |||
</syntaxhighlight>Another option is <code>lxqt.lxqt-policykit</code>, which can be launched on login through the command <code>lxqt-policykit-agent</code> on e.g. Hyprland. | |||
== Start the authentication agent in dwm == | == Start the authentication agent in dwm == | ||
| Line 37: | Line 103: | ||
If you use dwm patched with [https://dwm.suckless.org/patches/autostart/dwm-autostart-20210120-cb3f58a.diff dwm-autostart-20210120-cb3f58a.diff], you can add a command into <code>~/.dwm/autostart.sh</code> to start a polkit agent. Here take <code>mate.mate-polkit</code> for example: | If you use dwm patched with [https://dwm.suckless.org/patches/autostart/dwm-autostart-20210120-cb3f58a.diff dwm-autostart-20210120-cb3f58a.diff], you can add a command into <code>~/.dwm/autostart.sh</code> to start a polkit agent. Here take <code>mate.mate-polkit</code> for example: | ||
<syntaxhighlight> | <syntaxhighlight lang=bash> | ||
#!/bin/sh | #!/bin/sh | ||
# General stuff | # General stuff | ||
... | ... | ||
/nix/store/$(ls -la /nix/store | grep 'mate-polkit | /nix/store/$(ls -la /nix/store | grep 'mate-polkit' | grep '4096' | awk '{print $9}' | sed -n '$p')/libexec/polkit-mate-authentication-agent-1 & | ||
... | ... | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Use this method, you won't need to change the codes even if <code>mate.mate-polkit</code> gets an update. | |||
<syntaxhighlight lang=bash> | |||
#!/bin/sh | |||
... | |||
/nix/store/$(ls -la /nix/store | grep 'polkit-kde-agent' | grep '^d' | awk '{print $9}')/libexec/polkit-kde-authentication-agent-1 & | |||
... | |||
</syntaxhighlight> | |||
The same but for <code>polkit-kde-agent</code>. | |||