Official NixOS Wiki

Polkit: Difference between revisions

← Older editNewer edit →
VisualWikitext
Group rules together. Add a rule "no password for wheel", because who doesn't have wheelNeedsPassword on their plaything?
Line 7: Line 7:
Polkit is disabled by default. If you wish to enable it, you can set <code>security.polkit.enable</code> to true. (However, if you are running any one of the desktop environments, you are likely to have polkit enabled as a dependency.)
Polkit is disabled by default. If you wish to enable it, you can set <code>security.polkit.enable</code> to true. (However, if you are running any one of the desktop environments, you are likely to have polkit enabled as a dependency.)


== Reboot/poweroff for unprivileged users ==
== Writing rules ==
The Polkit rule language is described at https://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html#polkit-rules. It is really just JavaScript with an API.
 
On NixOS, Polkit uses [https://duktape.org/ Duktape] as its JavaScript runtime. Keep that in mind when you try to write newfangled code.
 
=== Reboot/poweroff for unprivileged users ===


With the following rule, we can grant the permissions <code>reboot</code> and <code>poweroff</code> a machine to users in the <code>
With the following rule, we can grant the permissions <code>reboot</code> and <code>poweroff</code> a machine to users in the <code>
Line 16: Line 21:
{{file|/etc/nixos/configuration.nix|nix|<nowiki>
{{file|/etc/nixos/configuration.nix|nix|<nowiki>
   security.polkit.extraConfig = ''
   security.polkit.extraConfig = ''
     polkit.addRule(function(action, subject) {
     polkit.addRule(function (action, subject) {
       if (
       if (
         subject.isInGroup("users")
         subject.isInGroup("users") &&
          && (
        [
            action.id == "org.freedesktop.login1.reboot" ||
          "org.freedesktop.login1.reboot",
            action.id == "org.freedesktop.login1.reboot-multiple-sessions" ||
          "org.freedesktop.login1.reboot-multiple-sessions",
            action.id == "org.freedesktop.login1.power-off" ||
          "org.freedesktop.login1.power-off",
            action.id == "org.freedesktop.login1.power-off-multiple-sessions"
          "org.freedesktop.login1.power-off-multiple-sessions",
          )
         ].indexOf(action.id) !== -1
         )
       ) {
       {
         return polkit.Result.YES;
         return polkit.Result.YES;
       }
       }
Line 33: Line 37:
</nowiki>}}
</nowiki>}}


(The above is a PolKit rule, which is based on JavaScript. See https://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html#polkit-rules for more information on the language.)
=== No password for wheel ===
The following rule is the analogue of NOPASSWD:ALL in [[sudo]], in that all wheel users do not need to authenticate again when performing ''any'' action.
 
{{file|/etc/nixos/configuration.nix|nix|<nowiki>
  security.polkit.extraConfig = ''
    polkit.addRule(function(action, subject) {
      if (subject.isInGroup("wheel"))
        return polkit.Result.YES;
    });
  '';
</nowiki>}}
 
(This does ''not'' take into account the <code>security.polkit.adminIdentities</code> setting.)


== Authentication agents ==
== Authentication agents ==
Retrieved from "https://wiki.nixos.org/wiki/Polkit"