Hello everybody. I’m trying to make polkit ask for the user password if the user is part of a group (like what sudo does with wheel when configured to do so).
The /etc/polkit-1/localauthority hierarchy is inteded for local configuration and the /var/lib/polkit-1/localauthority is intended for 3rd party packages.
but I can’t seem to find any of those on my system. Should i just create the folders and put the file?
It is outdated, upstream polkit (and versions included in openSUSE Leap/Tumbleweed) switched to using JavaScript rules instead.
This is specific to the old versions of polkit which Ubuntu/Debian are still using because they do not want to introduce dependency on JavaScript (I think Debian unstable has updated polkit version).
There is full example of a rule to do exactly that in polkit man page. Did you try to start with what is available on your system instead of searching for archaic information in Internet?
No, that is not what sudo does. sudo does not ask for a user password “if user is part of a group”. sudo either always asks for the target user password or it always asks for the invoking user password. It is global and not per-user setting.
No, it must not be the last. Quite the contrary - the first rule file that returns decision wins. So if you want to be sure your rule always applies, better make it as early as possible.
“The addAdminRule() method is used for adding a function that may be called whenever administrator authentication is required. The function is used to specify what identities may be used for administrator authentication for the authorization check identified by action and subject. Functions added are called in the order they have been added until one of the functions returns a value.”
"Authorization rules that overrule the default settings are laid out in a set of directories as described above. For all purposes relating to personal configuration of a single system, only /etc/polkit-1/rules.d should be used.
The addRule() method is used for adding a function that may be called whenever an authorization check for action and subject is performed. Functions are called in the order they have been added until one of the functions returns a value. Hence, to add an authorization rule that is processed before other rules, put it in a file in /etc/polkit-1/rules.d with a name that sorts before other rules files, for example 00-early-checks.rules."
erlangen:~ # cat /etc/polkit-1/rules.d/00-dup.rules
// Allow karl to manage dup.service;
// fall back to implicit authorization otherwise.
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.systemd1.manage-units" &&
action.lookup("unit") == "dup.service" &&
subject.user == "karl") {
return polkit.Result.YES;
}
});
erlangen:~ #
Yeah… I maybe explained myself wrongly there. I didn’t want to override the rules that the distro already put there, and it worked too as there is no addAdminRule specified in the default files (AFAIK).
