Polkit

From NixOS Wiki
Revision as of 08:34, 26 July 2023 by imported>Kavika13

Polkit is used for controlling system-wide privileges. It provides an organized way for non-privileged processes to communicate with privileged ones. In contrast to sudo, it does not grant root permission to an entire process, but rather allows a finer level of control of centralized system policy.

Enable polkit

Polkit is disabled by default. If you wish to enable it, you can set security.polkit.enable to true.

Reboot/poweroff for unprivileged users

With the following rule, we can grant the permissions reboot and poweroff a machine to users in the users group.

This is useful on a multi-user machine. It may also be of particular importance when using XRDP or other similar Remote Desktop solutions.

/etc/nixos/configuration.nix
  security.polkit.extraConfig = ''
    polkit.addRule(function(action, subject) {
      if (
        subject.isInGroup("users")
          && (
            action.id == "org.freedesktop.login1.reboot" ||
            action.id == "org.freedesktop.login1.reboot-multiple-sessions" ||
            action.id == "org.freedesktop.login1.power-off" ||
            action.id == "org.freedesktop.login1.power-off-multiple-sessions"
          )
        )
      {
        return polkit.Result.YES;
      }
    })
  '';

Authentication agents

If Polkit seems not to work properly, you could check that you have an authentication agent installed and running (especially if you use a more niche desktop environment like e.g. i3wm).

For example, polkit_gnome is a GNOME-based authentication agent, but it will usually only autostart when used with GNOME, KDE, or Unity (examine its autostart file in etc/xdg/autostart/polkit-gnome-authentication-agent-1.desktop for details); otherwise you will need to start it yourself, e.g. by copying that autostart file to ~/.config/autostart/ and removing the parts that restrict it to GNOME/KDE/Unity.

Alternatively, you can start it on login by creating a systemd user service:

systemd = {
  user.services.polkit-gnome-authentication-agent-1 = {
    description = "polkit-gnome-authentication-agent-1";
    wantedBy = [ "graphical-session.target" ];
    wants = [ "graphical-session.target" ];
    after = [ "graphical-session.target" ];
    serviceConfig = {
        Type = "simple";
        ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1";
        Restart = "on-failure";
        RestartSec = 1;
        TimeoutStopSec = 10;
      };
  };
};

Start the authentication agent in dwm

If you use dwm patched with dwm-autostart-20210120-cb3f58a.diff, you can add a command into ~/.dwm/autostart.sh to start a polkit agent. Here take mate.mate-polkit for example:

#!/bin/sh
# General stuff
...
/nix/store/$(ls -la /nix/store | grep 'mate-polkit' | grep '4096' | awk '{print $9}' | sed -n '$p')/libexec/polkit-mate-authentication-agent-1 & 
...

Use this method, you won't need to change the codes even mate.mate-polkit gets an update.

#!/bin/sh
...
/nix/store/$(ls -la /nix/store | grep polkit-kde-agent | grep '^d' | awk '{print $9}')/libexec/polkit-kde-authentication-agent-1 & 
...

The same but for polkit-kde-agent