To modify implicit privileges or to set explicit ones, you can either use the graphical
tool available with GNOME, use the command line tools shipped with PolicyKit, or modify the configuration files. While the GUI and the command line tools are a good solution for making temporary changes, editing the configuration files should be the preferred way to make permanent changes.Start the Authorizations tool either via the GNOME main menu by selecting Alt+F2 and entering polkit-gnome-authorization.
+ + or by pressingThe KDE version of the Authorisation tool can be started via Alt+F2 and entering polkit-kde-authorization.
The Authorizations window is divided into two parts. The left side shows all policies available in a tree view, while the right side displays details for the policy selected and offers means to change it.
Lists details of the chosen policy. The
is the unique string used by PolicyKit to identify the policy. explains the purpose of the policy and displays a link to the organization that has issued this policy.Change the privileges by clicking Section 9.2.1, “Implicit Privileges”. Click to restore the system defaults.
and choosing an authorization type explained inIn this section you can
privileges to existing users or users. In both cases, choose a user and a . Users with a UID of less than 1000 are only shown when is checked. To delete an authorization, choose it from the list and click .![]() | Restrictions of the | function on openSUSE
---|---|
When using Section 9.3.4, “Restoring the Default Privileges” for further information. , the Authorization tool always operates on the upstream defaults, so it is not possible to list or restore the defaults shipped with openSUSE. Refer to |
PolicyKit comes with two command line tools for changing implicit privileges and for assigning explicit privileges. Each existing policy has got a speaking, unique name with which it can be identified and which is used with the command line tools. List all available policies with the command polkit-action.
List and modify implicit privileges. Using this command you can also reset all policies to the default value. When invoked with no parameters, The command polkit-action shows a list of all policies. See man 1 polkit-action for more information.
Inspect, grant, block and revoke explicit privileges. To print a list
of explicit privileges for a specific user, use the command
polkit-auth --explicit-detail --user
USER
where
USER
has to be replaced by a valid
username. If the --user
option is left out,
privileges for the user executing the command are shown. See
man 1 polkit-auth for more information.
![]() | Restrictions of polkit-action on openSUSE |
---|---|
Using the option |
Adjusting privileges by modifying configuration files is useful when you want to deploy the same set of policies to different machines, for example to the computers of a specific team. It is possible to change implicit as well as explicit privileges by modifying configuration files.
openSUSE ships with two sets of default authorizations located in
/etc/polkit-default-privs.standard
and
/etc/polkit-default-privs.restrictive
. The
.standard
file defines privileges suitable for
most desktop systems. It is active by
default. The .restrictive
set of
privileges is designed for machines administrated
centrally.Activate
it by setting POLKIT_DEFAULT_PRIVS
to
restrictive
in
/etc/sysconfig/security
and run
set_polkit_default_privs as root
afterwards.
Do not modify these two files.
In order to define your custom set of privileges, use
/etc/polkit-default-privs.local
. Privileges
defined here will always take precedence over the ones defined in the
other configuration files. To define a privilege, add a line for each
policy with the following format:
<privilege name>
<any session>
:<inactive session>
:<active session>
For a list of all privilege names available, run the command polkit-action. The following values are valid for the session parameters:
yes
grant privilege
no
block
auth_self
user needs to authenticate with own password every time the privilege is requested
auth_self_keep_session
user needs to authenticate with own password once per session, privilege is granted for the whole session
auth_self_keep_always
user needs to authenticate with own password once, privilege is granted for the current and for future sessions
auth_admin
user needs to authenticate with root
password every time the
privilege is requested
auth_admin_keep_session
user needs to authenticate with root
password once per
session, privilege is granted for the whole session
auth_admin_keep_always
user needs to authenticate with root
password once, privilege
is granted for the current and for future sessions
Run set_polkit_default_privs to activate your settings.
Explicit privileges can be set in
/etc/PolicyKit/PolicyKit.conf
. This configuration
file is written in XML using the PolicyKit DTD. The file that is shipped
with openSUSE already contains the necessary headers and the root
element <config>
. Place your edits inside the
<config>
tags.
match
Specify an action or a user. match
knows two
attributes, user
and action
,
but only a single attribute is allowed. Use nested
match
statements to combine attributes. POSIX
Extended Regular Expressions are allowed as attribute values.
user=USER
Specify one or more login names. Separate multiple names by the “|” symbol.
action=policy
Specify a policy by it's unique identifier. To get a list of all available policy identifiers use the command polkit-action.
return
Specify the answer PolicyKit will return. Takes a single attribute,
result=
with one
of the values listed under
Section 9.3.3.1, “Modifying Configuration Files for Implicit Privileges”.
value
define_admin_auth
Specify users or groups allowed to authorize with their own password
where normally the root
password would be required. Takes the
attributes user=
or USER
group=
, but
only one may be used at a time. Multiple attribute values must be
separated by “|”, Extended POSIX Regular Expressions
are not supported. Applies to all policies when used at the top
level, or to specific policies when used within
GROUP
<match>
statements.
Example 9.1. An example /etc/PolicyKit/PolicyKit.conf
file
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE pkconfig PUBLIC "-//freedesktop//DTD PolicyKit Configuration 1.0//EN" "http://hal.freedesktop.org/releases/PolicyKit/1.0/config.dtd"><config version="0.1">
<match action="org.freedesktop.packagekit.system-update">
<match user="tux"> <return result="yes"/> </match> </match> <match action="org.freedesktop.policykit.*">
<match user="tux|wilber"> <return result="no"/> </match> </match> <define_admin_auth group="administrators"/>
</config>
The first three lines of the config file are the XML header. These lines are already present in the template file, leave them untouched. | |
The XML root element must always be present. The attribute
| |
A statement granting the user tux the privilege to update packages via PackageKit without having to authorize. | |
Withdraw privileges for all PolicyKit related policies from the users tux and wilber. | |
This statement allows all members of the group
|
Each application supporting PolicyKit comes with a default set of implicit policies defined by the application's developers, the so-called “upstream defaults”. The privileges defined by the upstream defaults are not necessarily the ones that are activated by default on openSUSE. openSUSE comes with its own predefined set of privileges (see Section 9.3.3.1, “Modifying Configuration Files for Implicit Privileges” for more information) that is activated by default, overriding the upstream defaults.
Since the Authorization tool and the PolicyKit command line utilities always
operate on the upstream defaults, openSUSE comes with the
command-line tool set_polkit_default_privs that
resets privileges to the values defined in
/etc/polkit-default-privs.*
. However,
set_polkit_default_privs will only reset policies
that are set to the upstream defaults. To reset all policies to the
upstream defaults first and then apply the openSUSE defaults, run
the following command:
rm -f /var/lib/PolicyKit-public/* && set_polkit_defaut_privs
![]() | /etc/polkit-default-privs.local |
---|---|
In order to apply the openSUSE defaults, make sure
|