1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
|
<?xml version="1.0"?>
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
"http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd" [
<!ENTITY version SYSTEM "../version.xml">
]>
<refentry id="polkit.8" xmlns:xi="http://www.w3.org/2003/XInclude">
<refentryinfo>
<title>polkit</title>
<date>January 2009</date>
<productname>polkit</productname>
</refentryinfo>
<refmeta>
<refentrytitle>polkit</refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo class="version"></refmiscinfo>
</refmeta>
<refnamediv>
<refname>polkit</refname>
<refpurpose>Authorization Framework</refpurpose>
</refnamediv>
<refsect1 id="polkit-overview"><title>OVERVIEW</title>
<para>
PolicyKit provides an authorization API intended to be used by
privileged programs (<quote>MECHANISMS</quote>) offering service
to unprivileged programs (<quote>CLIENTS</quote>) through some
form of IPC mechanism such as D-Bus or Unix pipes. In this
scenario, the mechanism typically treats the client as
untrusted. For every request from a client, the mechanism needs
to determine if the request is authorized or if it should refuse
to service the client. Using the PolicyKit API, a mechanism can
offload this decision to a trusted party: The PolicyKit
Authority.
</para>
<para>
In addition to acting as an authority, PolicyKit allows users to
obtain temporary authorization through authenticating either an
administrative user or the owner of the session the client
belongs to. This is useful for scenarios where a mechanism needs
to verify that the operator of the system really is the user or
really is an administrative user.
</para>
</refsect1>
<refsect1 id="polkit-system-architecture"><title>SYSTEM ARCHITECTURE</title>
<para>
The system architecture of PolicyKit is comprised of
the <emphasis>Authority</emphasis> (implemented as a service on
the system message bus) and a
<emphasis>Authentication Agent</emphasis> per user session
(provided and started by the user session e.g. GNOME or KDE).
Additionally, PolicyKit supports a number of extension points –
specifically, vendors and/or sites can write extensions to
completely control authorization policy. In a block diagram, the
architecture looks like this:
</para>
<mediaobject id="polkit-architecture">
<imageobject>
<imagedata fileref="polkit-architecture.png" format="PNG"/>
</imageobject>
<textobject>
<programlisting><![CDATA[
+-------------------+
| Authentication |
| Agent |
+-------------------+
| libpolkit-agent-1 |
+-------------------+
^ +--------+
| | Client |
+--------------+ +--------+
| ^
| |
User Session | |
=======================|========================|=============
System Context | |
| |
| +---+
V |
/------------\ |
| System Bus | |
\------------/ |
^ ^ V
| | +---------------------+
+--------------+ | | Mechanism |
| | +---------------------+
V +----> | libpolkit-gobject-1 |
+------------------+ +---------------------+
| org.freedesktop. |
| PolicyKit1 |
+------------------+
| Backends and |
| Extensions |
+------------------+
]]></programlisting>
</textobject>
</mediaobject>
<para>
For convenience, the <literal>libpolkit-gobject-1</literal>
library wraps the PolicyKit D-Bus API using GObject. However, a
mechanism can also use the D-Bus API or the
<citerefentry><refentrytitle>pkcheck</refentrytitle><manvolnum>1</manvolnum></citerefentry>
command to check authorizations.
</para>
<para>
The <literal>libpolkit-agent-1</literal> library provides an
abstraction of the native authentication system, e.g.
<citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
and also facilities registration and communication with the
PolicyKit D-Bus service.
</para>
<para>
PolicyKit extensions and authority backends are implemented
using the
<literal>libpolkit-backend-1</literal> library.
</para>
<para>
See the
<ulink url="file:///usr/share/gtk-doc/html/polkit-1/index.html">developer
documentation</ulink> for more information about using and
extending PolicyKit.
</para>
<para>
See
<citerefentry><refentrytitle>pklocalauthority</refentrytitle><manvolnum>8</manvolnum></citerefentry>
for information about the Local Authority - the default
authority implementation shipped with PolicyKit.
</para>
</refsect1>
<refsect1 id="polkit-authentication-agents"><title>AUTHENTICATION AGENTS</title>
<para>
An authentication agent is used to make the user of a session
prove that the user of the session really is the user (by
authenticating as the user) or an administrative user (by
authenticating as a administrator). In order to integrate well
with the rest of the user session (e.g. match the look and
feel), authentication agents are meant to be provided by the
user session that the user uses. For example, an authentication
agent may look like this:
</para>
<mediaobject id="polkit-authentication-agent-example">
<imageobject>
<imagedata fileref="polkit-authentication-agent-example.png" format="PNG"/>
</imageobject>
<textobject>
<programlisting><![CDATA[
+----------------------------------------------------------+
| Authenticate [X] |
+----------------------------------------------------------+
| |
| [Icon] Authentication is required to run ATA SMART |
| self tests |
| |
| An application is attempting to perform an |
| action that requires privileges. Authentication |
| as the super user is required to perform this |
| action. |
| |
| Password for root: [_________________________] |
| |
| [V] Details: |
| Drive: ATA INTEL SSDSA2MH08 (045C) |
| Device: /dev/sda |
| Action: org.fd.devicekit.disks.drive-ata-smart-selftest |
| Vendor: The DeviceKit Project |
| |
| [Cancel] [Authenticate] |
+----------------------------------------------------------+
]]></programlisting>
</textobject>
</mediaobject>
<para>
If the system is configured without a <emphasis>root</emphasis>
account it may allow you to select the administrative user who
is authenticating:
</para>
<mediaobject id="polkit-authentication-agent-example-wheel">
<imageobject>
<imagedata fileref="polkit-authentication-agent-example-wheel.png" format="PNG"/>
</imageobject>
<textobject>
<programlisting><![CDATA[
+----------------------------------------------------------+
| Authenticate [X] |
+----------------------------------------------------------+
| |
| [Icon] Authentication is required to run ATA SMART |
| self tests |
| |
| An application is attempting to perform an |
| action that requires privileges. Authentication |
| as one of the users below is required to |
| perform this action. |
| |
| [[Face] Patrick Bateman (bateman) [V]] |
| |
| Password for bateman: [______________________] |
| |
| [V] Details: |
| Drive: ATA INTEL SSDSA2MH08 (045C) |
| Device: /dev/sda |
| Action: org.fd.devicekit.disks.drive-ata-smart-selftest |
| Vendor: The DeviceKit Project |
| |
| [Cancel] [Authenticate] |
+----------------------------------------------------------+
]]></programlisting>
</textobject>
</mediaobject>
<para>
See
<citerefentry><refentrytitle>pklocalauthority</refentrytitle><manvolnum>8</manvolnum></citerefentry>
on how to set up the local authority
implemention for systems without a <literal>root</literal>
account.
</para>
<para>
Applications that do not run under a desktop environment (for
example, if launched from a
<citerefentry><refentrytitle>ssh</refentrytitle><manvolnum>1</manvolnum></citerefentry>
login) may not have have an authentication agent associated with
them. Such applications may use the <link
linkend="PolkitAgentTextListener-struct">PolkitAgentTextListener</link>
type or the
<citerefentry><refentrytitle>pkttyagent</refentrytitle><manvolnum>1</manvolnum></citerefentry>
helper so the user can authenticate using a textual interface.
</para>
</refsect1>
<refsect1 id="polkit-declaring-actions"><title>DECLARING ACTIONS</title>
<para>
A mechanism need to declare a set of <quote>ACTIONS</quote> in
order to use PolicyKit. Actions correspond to operations that
clients can request the mechanism to carry out and are defined
in XML files that the mechanism installs into
the <filename>/usr/share/polkit-1/actions</filename> directory.
</para>
<para>
PolicyKit actions are namespaced and can only contain the
characters <literal>[a-z][0-9].-</literal> e.g. lower-case
ASCII, digits, period and hyphen. Each XML file can contain more
than one action but all actions need to be in the same namespace
and the file needs to be named after the namespace and have the
extension <literal>.policy</literal>.
</para>
<para>
The XML file must have the following doctype declaration
</para>
<programlisting><![CDATA[
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
"http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">
]]></programlisting>
<para>
The <emphasis>policyconfig</emphasis> element must be present
exactly once. Elements that can be used
inside <emphasis>policyconfig</emphasis> includes:
</para>
<variablelist>
<varlistentry>
<term><emphasis>vendor</emphasis></term>
<listitem><para>The name of the project or vendor that is
supplying the actions in the XML
document. Optional.</para></listitem>
</varlistentry>
<varlistentry>
<term><emphasis>vendor_url</emphasis></term>
<listitem><para>A URL to the project or vendor that is
supplying the actions in the XML document.
Optional.</para></listitem>
</varlistentry>
<varlistentry>
<term><emphasis>icon_name</emphasis></term>
<listitem><para>An icon representing the project or vendor
that is supplying the actions in the XML document. The icon
name must adhere to
the <ulink url="http://standards.freedesktop.org/icon-naming-spec/icon-naming-spec-latest.html">Freedesktop.org
Icon Naming Specification</ulink>. Optional.</para></listitem>
</varlistentry>
<varlistentry>
<term><emphasis>action</emphasis></term>
<listitem><para>Declares an action. The action name is
specified using the <literal>id</literal> attribute and can
only contain the characters <literal>[a-z][0-9].-</literal>
e.g. lower-case ASCII, digits, period and
hyphen.</para></listitem>
</varlistentry>
</variablelist>
<para>
Elements that can be used inside <emphasis>action</emphasis> includes:
</para>
<variablelist>
<varlistentry>
<term><emphasis>description</emphasis></term>
<listitem><para>A human readable description of the action, e.g. <quote>Install unsigned software</quote>.</para></listitem>
</varlistentry>
<varlistentry>
<term><emphasis>message</emphasis></term>
<listitem><para>A human readable message displayed to the user when asking for credentials when authentication is needed, e.g. <quote>Installing unsigned software requires authentication</quote>.</para></listitem>
</varlistentry>
<varlistentry>
<term><emphasis>defaults</emphasis></term>
<listitem><para>This element is used to specify implicit authorizations for clients.</para>
<para>
Elements that can be used inside <emphasis>defaults</emphasis> includes:
</para>
<variablelist>
<varlistentry>
<term><emphasis>allow_any</emphasis></term>
<listitem><para>Implicit authorizations that apply to
any client. Optional.</para></listitem>
</varlistentry>
<varlistentry>
<term><emphasis>allow_inactive</emphasis></term>
<listitem><para>Implicit authorizations that apply to
clients in inactive sessions on local
consoles. Optional.</para></listitem>
</varlistentry>
<varlistentry>
<term><emphasis>allow_active</emphasis></term>
<listitem><para>Implicit authorizations that apply to
clients in active sessions on local
consoles. Optional.</para></listitem>
</varlistentry>
</variablelist>
<para>
Each of
the <emphasis>allow_any</emphasis>, <emphasis>allow_inactive</emphasis>
and <emphasis>allow_active</emphasis> elements can contain
the following values:
</para>
<variablelist>
<varlistentry>
<term><literal>no</literal></term>
<listitem><para>Not authorized.</para></listitem>
</varlistentry>
<varlistentry>
<term><literal>yes</literal></term>
<listitem><para>Authorized.</para></listitem>
</varlistentry>
<varlistentry>
<term><literal>auth_self</literal></term>
<listitem><para>Authentication by the owner of the
session that the client originates from is
required.</para></listitem>
</varlistentry>
<varlistentry>
<term><literal>auth_admin</literal></term>
<listitem><para>Authentication by an administrative user
is required.</para></listitem>
</varlistentry>
<varlistentry>
<term><literal>auth_self_keep</literal></term>
<listitem><para>Like <literal>auth_self</literal> but
the authorization is kept for a brief
period.</para></listitem>
</varlistentry>
<varlistentry>
<term><literal>auth_admin_keep</literal></term>
<listitem><para>Like <literal>auth_admin</literal> but the authorization is kept for a brief period.</para></listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>annotate</emphasis></term>
<listitem><para>Used for annotating an action with a key/value
pair. The key is specified using the
the <literal>key</literal> attribute and the value is
specified using the <literal>value</literal> attribute. This
element may appear zero or more times. See
below for known annotations. </para></listitem>
</varlistentry>
<varlistentry>
<term><emphasis>vendor</emphasis></term>
<listitem><para>Used for overriding the vendor on a per-action
basis. Optional.</para></listitem>
</varlistentry>
<varlistentry>
<term><emphasis>vendor_url</emphasis></term>
<listitem><para>Used for overriding the vendor URL on a
per-action basis. Optional.</para></listitem>
</varlistentry>
<varlistentry>
<term><emphasis>icon_name</emphasis></term>
<listitem><para>Used for overriding the icon name on a
per-action basis. Optional.</para></listitem>
</varlistentry>
</variablelist>
<para>
For localization, <emphasis>description</emphasis>
and <emphasis>message</emphasis> elements may occur multiple
times with different <literal>xml:lang</literal> attributes.
</para>
<para>
To list installed PolicyKit actions, use the
<citerefentry><refentrytitle>pkaction</refentrytitle><manvolnum>1</manvolnum></citerefentry>
command.
</para>
<refsect2><title>Known annotations</title>
<para>
The <literal>org.freedesktop.policykit.exec.path</literal>
annotation is used by the <command>pkexec</command> program
shipped with PolicyKit - see the
<citerefentry><refentrytitle>pkexec</refentrytitle><manvolnum>1</manvolnum></citerefentry>
man page for details.
</para>
<para>
The <literal>org.freedesktop.policykit.imply</literal>
annotation (its value is a string containing a space separated
list of action identifiers) can be used to define <emphasis>meta
actions</emphasis>. The way it works is that if a subject is
authorized for an action with this annotation, then it is also
authorized for any action specified by the annotation. A typical
use of this annotation is when defining an UI shell with a
single lock button that should unlock multiple actions from
distinct mechanisms.
</para>
<para>
The <literal>org.freedesktop.policykit.owner</literal>
annotation can be used to define a set of users who can query
whether a client is authorized to perform this action. If this
annotation is not specified then only root can query whether a
client running as a different user is authorized for an action.
The value of this annotation is a string containing a space
separated list of <link
linkend="PolkitIdentity-struct">PolkitIdentity</link> entries,
for example <literal>"unix-user:42 unix-user:colord"</literal>.
A typical use of this annotation is for a daemon process that
runs as a system user rather than root.
</para>
</refsect2>
</refsect1>
<refsect1 id="polkit-rules"><title>AUTHORIZATION RULES</title>
<para>
<command>polkitd</command> reads
<filename class='extension'>.rules</filename> files from the
<filename class='directory'>/etc/polkit-1/rules.d</filename> and
<filename class='directory'>/usr/share/polkit-1/rules.d</filename>
directories by sorting the files in lexical order based on the
basename on each file (and if there's a tie, files in
<filename class='directory'>/etc</filename>
are processed before files in
<filename class='directory'>/usr</filename>).
For example, for the following four
files, the order is
</para>
<itemizedlist mark='opencircle' spacing='compact'>
<listitem><para><filename>/etc/polkit-1/rules.d/10-auth.rules</filename></para></listitem>
<listitem><para><filename>/usr/share/polkit-1/rules.d/10-auth.rules</filename></para></listitem>
<listitem><para><filename>/etc/polkit-1/rules.d/15-auth.rules</filename></para></listitem>
<listitem><para><filename>/usr/share/polkit-1/rules.d/20-auth.rules</filename></para></listitem>
</itemizedlist>
<para>
Both directories are monitored so if a rules file is changed,
added or removed, existing rules are purged and all files are
read and processed again. Rules files are written in the
<ulink url="http://en.wikipedia.org/wiki/JavaScript">JavaScript</ulink>
programming language and interface with <command>polkitd</command>
through the global
<literal>polkit</literal> object (of type <type>Polkit</type>).
The following methods are available:
</para>
<funcsynopsis>
<funcprototype>
<?dbhtml funcsynopsis-style='ansi'?>
<funcdef>void <function>addRule</function></funcdef>
<paramdef>string <function>function</function>(<parameter>action</parameter>, <parameter>subject</parameter>, <parameter>details</parameter>) {...}</paramdef>
</funcprototype>
</funcsynopsis>
<funcsynopsis>
<funcprototype>
<?dbhtml funcsynopsis-style='ansi'?>
<funcdef>void <function>addAdminRule</function></funcdef>
<paramdef>string[] <function>function</function>(<parameter>action</parameter>, <parameter>subject</parameter>, <parameter>details</parameter>) {...}</paramdef>
</funcprototype>
</funcsynopsis>
<funcsynopsis>
<funcprototype>
<?dbhtml funcsynopsis-style='ansi'?>
<funcdef>void <function>log</function></funcdef>
<paramdef>string <parameter>message</parameter></paramdef>
</funcprototype>
</funcsynopsis>
<funcsynopsis>
<funcprototype>
<?dbhtml funcsynopsis-style='ansi'?>
<funcdef>string <function>spawn</function></funcdef>
<paramdef>string[] <parameter>argv</parameter></paramdef>
</funcprototype>
</funcsynopsis>
<para>
The <function>addRule()</function> method is used for adding a
function that may be called whenever an authorization check for
<parameter>action</parameter>, <parameter>subject</parameter>
and <parameter>details</parameter> is performed. Functions are
called in the order they have been added until one of the
functions returns a value. Hence, to add an authorization rule
that is processed before other rules, put it in a file in
<filename class='directory'>/etc/polkit-1/rules.d</filename>
with a name that sorts before other rules files, for example
<filename>00-early-checks.rules</filename>. Each function should
return one of the values <literal>"no"</literal>,
<literal>"yes"</literal>, <literal>"auth_self"</literal>,
<literal>"auth_self_keep"</literal>,
<literal>"auth_admin"</literal>,
<literal>"auth_admin_keep"</literal> as defined above. If the
function returns <constant>null</constant>,
<constant>undefined</constant> or does not return a value at
all, the next function is tried.
</para>
<para>
The <function>addAdminRule()</function> method is used for
adding a function may be called whenever administrator
authentication is required. The function is used to specify what
identies may be used for administrator authentication for the
authorization check identified by <parameter>action</parameter>,
<parameter>subject</parameter> and
<parameter>details</parameter>. Functions added are called in
the order they have been added until one of the functions
returns a value. Each function should return an array of strings
where each string is of the form
<literal>"unix-group:<group>"</literal>,
<literal>"unix-netgroup:<netgroup>"</literal> or
<literal>"unix-user:<user>"</literal>. If the function
returns <constant>null</constant>,
<constant>undefined</constant> or does not return a value at
all, the next function is tried.
</para>
<para>
There is no guarantee that a function registered with
<function>addRule()</function> or
<function>addAdminRule()</function> is ever called - for example
an early rules file could register a function that always return
a value, hence ensuring that functions added later are never
called.
</para>
<para>
The <function>log()</function> method writes the given
<parameter>message</parameter> to the system logger. Log entries
are emitted using the <constant>LOG_AUTHPRIV</constant> flag
meaning that the log entries usually ends up in the file
<filename>/var/log/secure</filename>. The
<function>log()</function> method is usually only used when
debugging rules.
</para>
<para>
The <function>spawn()</function> method spawns an external
helper identified by the argument vector
<parameter>argv</parameter> and waits for it to terminate. If an
error occurs or the helper doesn't exit normally with exit code
0, an exception is thrown. If the helper does not exit within 10
seconds it is killed. Otherwise, the program's
<emphasis>standard output</emphasis> is returned as a string.
The <function>spawn()</function> method should be used sparingly
as helpers may take a very long or indeterminate amount of time
to complete and no other authorization check can be handled
while the helper is running.
</para>
<refsect2 id="polkit-rules-subject">
<title>The <type>Subject</type> type</title>
<para>
The <parameter>subject</parameter> parameter passed to user
functions is an object with information about the process
being checked. It is of type <type>Subject</type> and has the
following attributes
</para>
<informaltable id="polkit-js-subject-attributes">
<tgroup cols="3" align="left">
<thead>
<row>
<entry>Attribute</entry>
<entry>Type</entry>
<entry>Description</entry>
</row>
</thead>
<tbody>
<row>
<entry><parameter>pid</parameter></entry>
<entry><type>int</type></entry>
<entry>The process id</entry>
</row>
<row>
<entry><parameter>user</parameter></entry>
<entry><type>string</type></entry>
<entry>The user name</entry>
</row>
<row>
<entry><parameter>groups</parameter></entry>
<entry><type>string[]</type></entry>
<entry>Array of groups that <parameter>user</parameter> user belongs to</entry>
</row>
<row>
<entry><parameter>seat</parameter></entry>
<entry><type>string</type></entry>
<entry>The seat that the subject is associated with - blank if not on a local seat</entry>
</row>
<row>
<entry><parameter>session</parameter></entry>
<entry><type>string</type></entry>
<entry>The session that the subject is associated with</entry>
</row>
<row>
<entry><parameter>local</parameter></entry>
<entry><type>boolean</type></entry>
<entry>Set to <constant>true</constant> only if seat is local</entry>
</row>
<row>
<entry><parameter>active</parameter></entry>
<entry><type>boolean</type></entry>
<entry>Set to <constant>true</constant> only if the session is active</entry>
</row>
</tbody>
</tgroup>
</informaltable>
<para>
The following methods are available on the <type>Subject</type> type:
</para>
<funcsynopsis>
<funcprototype>
<?dbhtml funcsynopsis-style='ansi'?>
<funcdef>boolean <function>isInGroup</function></funcdef>
<paramdef>string <parameter>groupName</parameter></paramdef>
</funcprototype>
</funcsynopsis>
<funcsynopsis>
<funcprototype>
<?dbhtml funcsynopsis-style='ansi'?>
<funcdef>boolean <function>isInNetGroup</function></funcdef>
<paramdef>string <parameter>netGroupName</parameter></paramdef>
</funcprototype>
</funcsynopsis>
<para>
The <function>isInGroup()</function> method can be used to
check if the subject is in a given group and
<function>isInNetGroup()</function> can be used to check if
the subject is in a given netgroup.
</para>
</refsect2>
<refsect2 id="polkit-rules-details">
<title>The <type>Details</type> type</title>
<para>
The <parameter>details</parameter> parameter passed to user
functions is an object with more information about the action
being checked. It is of type <type>Details</type> and has
details being set by the mechanism as attributes. For example,
the <link
linkend="pkexec.1"><citerefentry><refentrytitle>pkexec</refentrytitle><manvolnum>1</manvolnum></citerefentry></link>
mechanism sets the details <literal>user</literal>,
<literal>program</literal> and <literal>command_line</literal>
which can be obtained through e.g. the following JavaScript
expression: <literal>details["program"]</literal>. Consult the
documentation for each mechanism for what details are
available for each action.
</para>
</refsect2>
<refsect2 id="polkit-rules-examples">
<title>Authorzation Rules Examples</title>
<para>
Allow all users in the <literal>admin</literal> group to
perform user administration without changing policy for other
users:
</para>
<programlisting><![CDATA[
polkit.addRule(function(action, subject, details) {
if (action == "org.freedesktop.accounts.user-administration" &&
subject.isInGroup("admin")) {
return "yes";
}
});
]]></programlisting>
<para>
Define administrative users to be the users in the <literal>wheel</literal> group:
</para>
<programlisting><![CDATA[
polkit.addAdminRule(function(action, subject, details) {
return ["unix-group:wheel"];
});
]]></programlisting>
<para>
Forbid users in group <literal>children</literal> to change
hostname configuration (that is, any action starting wth
<literal>org.freedesktop.hostname1.</literal>) and allow
anyone else to do it after authenticating as themselves:
</para>
<programlisting><![CDATA[
polkit.addRule(function(action, subject, details) {
if (action.indexOf("org.freedesktop.hostname1.") == 0) {
if (subject.isInGroup("children")) {
return "no";
} else {
return "auth_self_keep";
}
}
});
]]></programlisting>
<para>
Run an external helper to determine if the current user may reboot the system:
</para>
<programlisting><![CDATA[
polkit.addRule(function(action, subject, details) {
if (action.indexOf("org.freedesktop.login1.reboot") == 0) {
try {
// user-may-reboot exits with succeess (exit code 0)
// only if the passed username is authorized
polkit.spawn(["/opt/company/bin/user-may-reboot",
subject.user]);
return "yes";
} catch (error) {
// Nope, but do allow admin authentication
return "auth_admin";
}
}
});
]]></programlisting>
</refsect2>
</refsect1>
<refsect1 id="polkit-author"><title>AUTHOR</title>
<para>
Written by David Zeuthen <email>davidz@redhat.com</email> with
a lot of help from many others.
</para>
</refsect1>
<refsect1 id="polkit-bugs">
<title>BUGS</title>
<para>
Please send bug reports to either the distribution or the
polkit-devel mailing list,
see the link <ulink url="http://lists.freedesktop.org/mailman/listinfo/polkit-devel"/>
on how to subscribe.
</para>
</refsect1>
<refsect1 id="polkit-see-also">
<title>SEE ALSO</title>
<para>
<citerefentry>
<refentrytitle>pklocalauthority</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>
<citerefentry>
<refentrytitle>polkitd</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>
<citerefentry>
<refentrytitle>pkaction</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>pkcheck</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>pkexec</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>pkttyagent</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>
</para>
</refsect1>
</refentry>
|
