Make polkit ask for user password instead of admin

Hello everybody. I’m trying to make polkit ask for the user password if the user is part of a group (like what sudo does with wheel when configured to do so).

I got to this page, which tells me:

The /etc/polkit-1/localauthority hierarchy is inteded for local configuration and the /var/lib/polkit-1/localauthority is intended for 3rd party packages.

but I can’t seem to find any of those on my system. Should i just create the folders and put the file?

I also read this question on SO: sudo - How to let Polkit request root password instead users password - Ask Ubuntu, but I guess that file is specific to the Ubuntu distro.

Any help? Thank you and let me know if you need more info on my configuration.

  • openSUSE Tumbleweed version 20230429
  • polkit version 121-4.2

You wrote, I go to (hyperlink)this(hyperlink) page

You hyperlinked to a documentation page that contains this path

… /polkit/docs/0.105/pkloc…

polkit-0.105.tar.gz 2012-04-24 16:47

Navigate to more current documentation :slightly_smiling_face:

1 Like

It is outdated, upstream polkit (and versions included in openSUSE Leap/Tumbleweed) switched to using JavaScript rules instead.

This is specific to the old versions of polkit which Ubuntu/Debian are still using because they do not want to introduce dependency on JavaScript (I think Debian unstable has updated polkit version).

There is full example of a rule to do exactly that in polkit man page. Did you try to start with what is available on your system instead of searching for archaic information in Internet?

man 8 polkit

and search for “wheel”.

No, that is not what sudo does. sudo does not ask for a user password “if user is part of a group”. sudo either always asks for the target user password or it always asks for the invoking user password. It is global and not per-user setting.

Thank you everybody! I tried searching for a bit in the manual but could not find the requested info!

Yeah, I meant the invoking user password if that user is part of a specified group (wheel for example).

Either ways, thank you and I’ll let you know if I can make that work! :laughing:

Ok so for anyone reading this thread in the future, the steps are:

  • Create a file in /etc/polkit-1/rules.d, for example 100-user-admin.rules (it must be the last in lexicographic order)
  • Add this code (taken from the documentation) and adjust it for your liking
    polkit.addAdminRule(function(action, subject) {
        return ["unix-group:wheel"];
  • Enjoy!

You can even use unix-user:username instead of unix-group:....

1 Like

No, it must not be the last. Quite the contrary - the first rule file that returns decision wins. So if you want to be sure your rule always applies, better make it as early as possible.


“The addAdminRule() method is used for adding a function that may be called whenever administrator authentication is required. The function is used to specify what identities may be used for administrator authentication for the authorization check identified by action and subject. Functions added are called in the order they have been added until one of the functions returns a value.”

"Authorization rules that overrule the default settings are laid out in a set of directories as described above. For all purposes relating to personal configuration of a single system, only /etc/polkit-1/rules.d should be used.

The addRule() method is used for adding a function that may be called whenever an authorization check for action and subject is performed. Functions are called in the order they have been added until one of the functions returns a value. Hence, to add an authorization rule that is processed before other rules, put it in a file in /etc/polkit-1/rules.d with a name that sorts before other rules files, for example 00-early-checks.rules."

erlangen:~ # cat /etc/polkit-1/rules.d/00-dup.rules 
// Allow karl to  manage dup.service; 
// fall back to implicit authorization otherwise. 
polkit.addRule(function(action, subject) { 
    if ( == "org.freedesktop.systemd1.manage-units" && 
        action.lookup("unit") == "dup.service" && 
        subject.user == "karl") { 
        return polkit.Result.YES; 
erlangen:~ # 

Yeah… I maybe explained myself wrongly there. I didn’t want to override the rules that the distro already put there, and it worked too as there is no addAdminRule specified in the default files (AFAIK).

Thank you again for your help!

1 Like