Which default is polkit currently using?

Trying to see if polkit is running and which set of privileges it is applying. So first, I tried:

u@localhost:~> systemctl status polkit
● polkit.service - Authorization Manager
     Loaded: loaded (/usr/lib/systemd/system/polkit.service; static)
     Active: active (running) since Sun 2023-09-03 14:15:20 PST; 1h 30min ago
       Docs: man:polkit(8)
   Main PID: 1154 (polkitd)
      Tasks: 6 (limit: 4915)
     CGroup: /system.slice/polkit.service
             └─ 1154 /usr/lib/polkit-1/polkitd --no-debug

That part is good. Now the next thing to know is which set of default privileges it is using. According to the documentation, I should check here:

u@localhost:~> cat /etc/sysconfig/security | grep -i polkit
## Description: Configuration of default Polkit privileges
## Config:      set_polkit_default_privs
# set_polkit_default_privs can check Polkit default privileges.
CHECK_POLKIT_PRIVS=""
## Config:      set_polkit_default_privs
# especially on desktop systems, so custom tuning of polkit rules might become
POLKIT_DEFAULT_PRIVS=""

The last part is blank (I was kind of expecting it to have a value in it). So I checked other locations mentioned in the documentation to see if any policies/rules are being applied:

u@localhost:~> sudo cat /etc/polkit-1/rules.d/50-default.rules
[sudo] password for root: 
/* -*- mode: js; js-indent-level: 4; indent-tabs-mode: nil -*- */

// DO NOT EDIT THIS FILE, it will be overwritten on update
//
// Default rules for polkit
//
// See the polkit(8) man page for more information
// about configuring polkit.

polkit.addAdminRule(function(action, subject) {
    return ["unix-user:0"];
});

u@localhost:~> sudo cat /etc/polkit-1/rules.d/90-default-privs.rules
/*******************************************\
*              DO NOT EDIT                  *
* This file was automatically generated.    *
* To add custom rules edit                  *
*    /etc/polkit-default-privs.local        *
* instead.                                  *
* Also see 'man set_polkit_default_privs'   *
\*******************************************/

polkit.addRule(function(action, subject) {
	// set to true for debugging
	var debug = false;
        rules = { 
		'com.deepin.api.device.unblock-bluetooth-devices':
			[ 'no', 'no', 'auth_admin_keep' ],

<REDACTED FOR BREVITY>

		'org.xfce.mousepad':
			[ 'no', 'auth_admin', 'auth_admin' ],
		'org.xfce.power.backlight-helper':
			[ 'no', 'no', 'yes' ],
		'scap-workbench-oscap.run':
			[ 'auth_admin_keep', 'auth_admin_keep', 'auth_admin_keep' ],
        };
        var i = 0;
        if (subject.local) {
                if (subject.active) {
                        i = 2;
                } else {
                        i = 1;
                }
        }
	if (debug)
		polkit.log("subject=" + subject);

        if (rules[action.id]) {
		if (debug)
			polkit.log(action.id + " => " + rules[action.id][i]);
                return rules[action.id][i];
        } else {
		if (debug)
			polkit.log(action.id + " => no override found");
	}
});

// vim: syntax=javascript

So it looks like something is configured. To be sure, i tried this but got surprised with the result:

u@localhost:~> pkaction -v --action-id=org.xfce.mousepad
No action with action id org.xfce.mousepad

I find that strange. Can someone help confirm if polkit is configured and/or functioning properly?

For me on Tumbleweed:

> sudo systemctl status polkit
[sudo] password for root: 
● polkit.service - Authorization Manager
     Loaded: loaded (/usr/lib/systemd/system/polkit.service; static)
     Active: active (running) since Sun 2023-09-03 07:32:34 CEST; 3h 28min ago
       Docs: man:polkit(8)
   Main PID: 1079 (polkitd)
      Tasks: 4 (limit: 4915)
        CPU: 196ms
     CGroup: /system.slice/polkit.service
             └─1079 /usr/libexec/polkit-1/polkitd --no-debug

systemd[1]: Starting Authorization Manager...
polkitd[1079]: Started polkitd version 121
polkitd[1079]: Loading rules from directory /etc/polkit-1/rules.d
polkitd[1079]: Loading rules from directory /usr/share/polkit-1/rules.d
polkitd[1079]: Finished loading, compiling and executing 4 rules
polkitd[1079]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
systemd[1]: Started Authorization Manager.
polkitd[1079]: Registered Authentication Agent for unix-session:1 (system bus name :1.28 [/usr/libexec/polkit-kde-authentication-agent-1], object path /org/kde/PolicyKit1/Authentic>

> sudo ls -l /etc/polkit-1/rules.d /usr/share/polkit-1/rules.d
/etc/polkit-1/rules.d:
total 52
-rw-r--r-- 1 root root 50729 Jun 10 21:52 90-default-privs.rules

/usr/share/polkit-1/rules.d:
total 12
-rw-r----- 1 root polkitd 321 Aug 12 18:40 50-default.rules
-rw-r--r-- 1 root root    290 Aug 12 23:24 50-org.freedesktop.GeoClue2.rules
-rw-r--r-- 1 root root    965 Aug 12 23:39 60-org.freedesktop.Flatpak.rules

So 4 files, 4 rules? Looking in the files that good well be true. The rules I see do not really make sense to me.

On the gitlab polkit page I read:

polkit is a toolkit for defining and handling authorizations. It is used for allowing unprivileged processes to speak to privileged processes.

Well, that is not something I need, I do not have processes that I want to get access to privileged processes for what I need sudo is enough for now.

So /etc/sysconfig/security says POLKIT_DEFAULT_PRIVS=“” and I see two (2) custom authorization rules in /etc/polkit-1/rules.d.

But if I do pkaction -v --action -id=org.xfce.mousepad (which appears to be configured in one of the authorization rules in polkit-1/rules.d), it returns “No action” for that action ID.

The polkit service is active as per systemctl, but how come pkaction appears to say otherwise? Is there a misconfiguration going on here which I need to address?

Authorization rules define defaults for an action. They do not create the action itself. Creating authorization rule on my system that allows user markLopez9 to do everything does not magically create user markLopez9.