Polkit
Polkit is an authorization manager which is used for allowing unprivileged processes to speak to privileged processes through some form of inter-process communication mechanism like D-Bus.
Prerequisites
- Install and configure D-Bus.
- For graphical applications, polkit relies on elogind or Seatd to determine the identity of the user making a request.
Using polkit with elogind
polkit is mandatory for elogind as it depends on it for authentication. Install the polkit-elogind package and enable the polkit service using OpenRC.
# apk add polkit-elogind # rc-update add polkit # rc-service polkit start
Proceed to configure elogind, if not done already.
Using polkit with seatd
polkit can be used for authentication with seatd, if you use only groups in the polkit rules. With seatd, you are also restricted to YES or NO rules.
Install the polkit package and enable the polkit service using OpenRC:
# apk add polkit # rc-update add polkit # rc-service polkit start
Proceed to configure seatd, if not done already.
Polkit rule files
The following example rule files have been provided to show the limitations of seatd.
Example1
A sample polkit rule file /etc/polkit-1/rules.d/50-my-custom-rules.rules which allow members of the "wheel" group to reboot without a password. This rule depends only on group membership which works with seatd can be as follows:
Contents of /etc/polkit-1/rules.d/50-my-custom-rules.rules
The above polkit rule file is supported when used with both seatd and Elogind.
Example2
Elogind is required for "subject.active" rules and no AUTH_ADMIN, since polkit agents need POLKIT_IS_SUBJECT. Given below is a sample polkit rule file /etc/polkit-1/rules.d/51-require-active-session.rules which allow only active local sessions to suspend based on subject.active which requires Elogind can be as follows:
Contents of /etc/polkit-1/rules.d/51-require-active-session.rules
The above polkit rule file is supported only when used with Elogind