Thursday, August 12, 2010

PolicyKit

PolicyKit is an operating system component for controlling system-wide privileges in Unix-like operating systems. It provides an roganized way for non-privileged processes to communicate with privileged ones. In contrast to systems such as sudo, it does not grant root permission to an entire process, but rather allows a finer level of control of centralized system policy.

Files shipped with PolicyKit and 3rd party packages (e.g. under package manager control) typically have comments (such as “DO NOT EDIT THIS FILE, it will be overwritten on update”) telling the system administrator that changes will be overwritten on update.

Configuring PolicyKit

Configuration for the Local Authority is read from files in the /etc/polkit-1/localauthority.conf.d directory.

The Local Authority reads files with .pkla extension from all directories located inside the /etc/polkit-1/localauthority and /var/lib/polkit-1/localauthority directories. By default, the following sub-directories are installed.

10-vendor.d Intended for use by the OS vendor.
20-org.d Intended for the organization deploying the OS.
30-site.d Intended for the site deploying the system.
50-local.d Intended for local usage.
90-mandatory.d Intended for the organization deploying the OS.

New direcrtories and can be added or removed. The configuration files are the .pkla files. A .pkla file must be named by using a scheme to ensure that the name is unique, e.g. reverse DNS notation or similar. For example com.mycompany.packagekit.pkla .

Setup .pkla files

Each group in a .pkla file must have a name that is unique within the file it belongs to.

The following keys are are recognized:

Identity

  • A semi-colon separated list of globs to match identities. Each glob should start with unix-user: or unix-group: to specify whether to match on a UNIX user name or a UNIX group name.

Action

  • A semi-colon separated list of globs to match action identifiers.

ResultActive

  • The result to return for subjects in an active local session that matches one or more of the given identities. Allowed values are similar to what can be used in the defaults section of .policy files used to define actions, e.g. yes, no, auth_self, auth_self_keep, auth_admin and auth_admin_keep.

ResultInactive

  • Like ResultActive but instead applies to subjects in inactive local sessions.

ResultAny

  • Like ResultActive but instead applies to any subject.

ReturnValue

  • A semi-colon separated list of key/value pairs (of the form key=value) that are added to the details of authorization result on positive matches.

Sample .pkla file

# Allow "standard users" to do some things without being interrupted by
# password dialogs (TODO: not complete)
#
[Desktop User Permissions]
Identity=unix-group:wetab
Action=org.freedesktop.packagekit.package-install;org.freedesktop.packagekit.package-remove;
ResultAny=no
ResultInactive=no
ResultActive=yes

This configuration file allows packagekit to install and remove packages.

Non secure way of configuring

The policies files are located in /usr/share/polkit-1/actions/"DBUS application name" .

Issue

Anything in /usr isn't considered 'configuration', so any time the PolicyKit is updated modifications will be wiped out and the modifications should be done again. Configuration should be set /etc or /var .

References

http://hal.freedesktop.org/docs/polkit/pklocalauthority.8.html

$ man pklocalauthority

No comments:

Post a Comment