Polkit: Difference between revisions

From NixOS Wiki
imported>Aaron C Hall
Inverse is true, see https://search.nixos.org/options?channel=22.05&show=security.polkit.enable&from=0&size=50&sort=relevance&type=packages&query=Polkit
imported>Chewie
Mention use of systemd user service to launch a polkit authentication agent
Line 12: Line 12:


For example, <code>polkit_gnome</code> is a GNOME-based authentication agent, but it will usually only autostart when used with GNOME, KDE, or Unity (examine its autostart file in <code>etc/xdg/autostart/polkit-gnome-authentication-agent-1.desktop</code> for details); otherwise you will need to start it yourself, e.g. by copying that autostart file to <code>~/.config/autostart/</code> and removing the parts that restrict it to GNOME/KDE/Unity.
For example, <code>polkit_gnome</code> is a GNOME-based authentication agent, but it will usually only autostart when used with GNOME, KDE, or Unity (examine its autostart file in <code>etc/xdg/autostart/polkit-gnome-authentication-agent-1.desktop</code> for details); otherwise you will need to start it yourself, e.g. by copying that autostart file to <code>~/.config/autostart/</code> and removing the parts that restrict it to GNOME/KDE/Unity.
Alternatively, you can start it on login by creating a systemd user service:
<syntaxhighlight lang="nix">
systemd = {
    user.services.polkit-gnome-authentication-agent-1 = {
    description = "polkit-gnome-authentication-agent-1";
    wants = [ "graphical-session.target" ];
    wantedBy = [ "graphical-session.target" ];
    after = [ "graphical-session.target" ];
    serviceConfig = {
      Type = "simple";
      ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1";
      Restart = "on-failure";
      RestartSec = 1;
      TimeoutStopSec = 10;
    };
  };
};
</syntaxhighlight>

Revision as of 06:40, 11 September 2022

Polkit is used for controlling system-wide privileges. It provides an organized way for non-privileged processes to communicate with privileged ones. In contrast to sudo, it does not grant root permission to an entire process, but rather allows a finer level of control of centralized system policy.

Enable polkit

Polkit is disabled by default. If you wish to enable it, you can set security.polkit.enable to true.

Authentication agents

If Polkit seems not to work properly, you could check that you have an authentication agent installed and running (especially if you use a more niche desktop environment like e.g. i3wm).

For example, polkit_gnome is a GNOME-based authentication agent, but it will usually only autostart when used with GNOME, KDE, or Unity (examine its autostart file in etc/xdg/autostart/polkit-gnome-authentication-agent-1.desktop for details); otherwise you will need to start it yourself, e.g. by copying that autostart file to ~/.config/autostart/ and removing the parts that restrict it to GNOME/KDE/Unity.

Alternatively, you can start it on login by creating a systemd user service:

systemd = {
    user.services.polkit-gnome-authentication-agent-1 = {
    description = "polkit-gnome-authentication-agent-1";
    wants = [ "graphical-session.target" ];
    wantedBy = [ "graphical-session.target" ];
    after = [ "graphical-session.target" ];
    serviceConfig = {
      Type = "simple";
      ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1";
      Restart = "on-failure";
      RestartSec = 1;
      TimeoutStopSec = 10;
    };
  };
};