ACC SHELL
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 9. PolicyKit</title><link rel="stylesheet" href="susebooks.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="Documentation"><link rel="up" href="part.local_security.html" title="Part II. Local Security"><link rel="prev" href="cha.security.yast_security.html" title="Chapter 8. Configuring Security Settings with YaST"><link rel="next" href="cha.security.acls.html" title="Chapter 10. Access Control Lists in Linux"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header" border="0" class="bctable"><tr><td width="80%"><div class="breadcrumbs"><p><a href="index.html"> Documentation</a><span class="breadcrumbs-sep"> > </span><a href="book.security.html">Security Guide</a><span class="breadcrumbs-sep"> > </span><a href="part.local_security.html">Local Security</a><span class="breadcrumbs-sep"> > </span><strong><a accesskey="p" title="Chapter 8. Configuring Security Settings with YaST" href="cha.security.yast_security.html"><span>◀</span></a> <a accesskey="n" title="Chapter 10. Access Control Lists in Linux" href="cha.security.acls.html"><span>▶</span></a></strong></p></div></td></tr></table></div><div class="chapter" title="Chapter 9. PolicyKit"><div class="titlepage"><div><div><h2 class="title"><a name="cha.security.policykit"></a>Chapter 9. PolicyKit<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#cha.security.policykit">¶</a></span></h2></div></div></div><div class="toc"><p><b>Contents</b></p><dl><dt><span class="sect1"><a href="cha.security.policykit.html#sec.security.policykit.authorizations">9.1. Available Policies and Supported Applications</a></span></dt><dt><span class="sect1"><a href="cha.security.policykit.html#sec.security.policykit.types">9.2. Authorization Types</a></span></dt><dt><span class="sect1"><a href="cha.security.policykit.html#sec.security.policykit.change">9.3. Modifying and Setting Privileges</a></span></dt><dt><span class="sect1"><a href="cha.security.policykit.html#id583618">9.4. For more information</a></span></dt></dl></div><div class="abstract" title="Abstract"><p class="title"><b>Abstract</b></p><p>
PolicyKit is an application framework that acts as a negotiator between the
unprivileged user session and the privileged system context. Whenever a
process from the user session tries to carry out an action in the system
context, PolicyKit is queried. Based on its configuration—specified in a
so-called <span class="quote">“<span class="quote">policy</span>”</span>—the answer could be
<span class="quote">“<span class="quote">yes</span>”</span>, <span class="quote">“<span class="quote">no</span>”</span>, or <span class="quote">“<span class="quote"> authentication
needed</span>”</span>. Unlike classical privilege authorization programs such as
sudo, PolicyKit does not grant <code class="systemitem">root</code> permissions to an entire process,
following the <span class="quote">“<span class="quote">least privilege</span>”</span> concept.
</p></div><div class="note"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Note: Two PolicyKit Versions in Parallel"><tr class="head"><td width="32"><img alt="[Note]" src="admon/note.png"></td><th align="left">Two <code class="systemitem">PolicyKit</code> Versions in Parallel</th></tr><tr><td colspan="2" align="left" valign="top"><p>
At the moment, there are two PolicyKit versions available with openSUSE
in parallel: the <span class="quote">“<span class="quote">old</span>”</span> <code class="systemitem">PolicyKit</code>
and the <span class="quote">“<span class="quote">new</span>”</span> <code class="systemitem">polkit</code> version
(polkit-1), which is a re-write of the old
<code class="systemitem">PolicyKit</code> version. The following sections are
basically documentation on the <span class="quote">“<span class="quote">old</span>”</span>
<code class="systemitem">PolicyKit</code> version.
</p></td></tr></table></div><div class="sect1" title="9.1. Available Policies and Supported Applications"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.security.policykit.authorizations"></a>9.1. Available Policies and Supported Applications<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.policykit.authorizations">¶</a></span></h2></div></div></div><p>
At the moment, not all applications requiring privileges make use of
PolicyKit. In the following the most important policies available on
openSUSE® are listed.
</p><div class="variablelist"><dl><dt><span class="term">PulseAudio</span></dt><dd><table border="0" summary="Simple list" class="simplelist"><tr><td>Set scheduling priorities for the PulseAudio daemon</td></tr></table></dd><dt><span class="term">smpppd</span></dt><dd><table border="0" summary="Simple list" class="simplelist"><tr><td>Controlling dial-up connections</td></tr></table></dd><dt><span class="term">CUPS</span></dt><dd><table border="0" summary="Simple list" class="simplelist"><tr><td>Add, remove, edit, enable or disable printers</td></tr></table></dd><dt><span class="term">Backup Manager</span></dt><dd><table border="0" summary="Simple list" class="simplelist"><tr><td>Modify schedule</td></tr></table></dd><dt><span class="term">GNOME</span></dt><dd><table border="0" summary="Simple list" class="simplelist"><tr><td>Modify system and mandatory values with GConf</td></tr><tr><td>Change the system time</td></tr></table></dd><dt><span class="term">libvirt</span></dt><dd><table border="0" summary="Simple list" class="simplelist"><tr><td>Manage and modify local virtualized systems</td></tr></table></dd><dt><span class="term">NetworkManager</span></dt><dd><table border="0" summary="Simple list" class="simplelist"><tr><td>Apply and modify connections</td></tr></table></dd><dt><span class="term">PolicyKit</span></dt><dd><table border="0" summary="Simple list" class="simplelist"><tr><td>Read and change privileges for other users</td></tr><tr><td>Modify defaults</td></tr></table></dd><dt><span class="term">PackageKit</span></dt><dd><table border="0" summary="Simple list" class="simplelist"><tr><td>Update and remove packages</td></tr><tr><td>Refresh repositories</td></tr></table></dd><dt><span class="term">System</span></dt><dd><table border="0" summary="Simple list" class="simplelist"><tr><td>Wake on LAN</td></tr><tr><td>Mount or unmount fixed, hotpluggable and encrypted
devices</td></tr><tr><td>Eject and decrypt removable media</td></tr><tr><td>Enable or disable WLAN</td></tr><tr><td>Enable or disable Bluetooth</td></tr><tr><td>Device access</td></tr><tr><td>Stop, suspend, hibernate and restart the system</td></tr><tr><td>Undock a docking station</td></tr></table></dd><dt><span class="term">YaST</span></dt><dd><table border="0" summary="Simple list" class="simplelist"><tr><td>Register product</td></tr><tr><td>Change the system time and language</td></tr></table></dd></dl></div></div><div class="sect1" title="9.2. Authorization Types"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.security.policykit.types"></a>9.2. Authorization Types<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.policykit.types">¶</a></span></h2></div></div></div><p>
Every time a PolicyKit-enabled process carries out a privileged operation,
PolicyKit is asked whether this process is entitled to do so. The answer PolicyKit
gives depends on the policy defined for this process. It can be
<span class="quote">“<span class="quote">yes</span>”</span>, <span class="quote">“<span class="quote">no</span>”</span>, or <span class="quote">“<span class="quote">authentication
needed</span>”</span>. By default, a policy contains <span class="quote">“<span class="quote">implicit</span>”</span>
privileges, which automatically apply to all users. It is also possible
to specify <span class="quote">“<span class="quote">explicit</span>”</span> privileges which apply to a specific
user.
</p><div class="sect2" title="9.2.1. Implicit Privileges"><div class="titlepage"><div><div><h3 class="title"><a name="sec.security.policykit.policies.implicit"></a>9.2.1. Implicit Privileges<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.policykit.policies.implicit">¶</a></span></h3></div></div></div><p>
Implicit privileges can be defined for any, active, and inactive
sessions. An active session is the one in which you are currently
working. It becomes inactive when you switch to another console for
example. When setting implicit privileges to <span class="quote">“<span class="quote">no</span>”</span>, no user
is authorized, whereas <span class="quote">“<span class="quote">yes</span>”</span> authorizes all users. However,
in most cases it is useful to demand authentication.
</p><p>
A user can either authorize by authenticating as <code class="systemitem">root</code> or by
authenticating as self. Both authentication methods exist in four
variants:
</p><div class="variablelist"><dl><dt><span class="term">Authentication</span></dt><dd><p>
The user always has to authenticate
</p></dd><dt><span class="term">One Shot Authentication</span></dt><dd><p>
The authentication is bound to the instance of the program currently
running. Once the program is restarted, the user is required to
authenticate again.
</p></dd><dt><span class="term">Keep Session Authentication</span></dt><dd><p>
The authentication dialog box offers a check button <span class="guimenu">Remember
authorization for this session</span>. If checked, the
authentication is valid until the user logs out.
</p></dd><dt><span class="term">Keep Indefinitely Authentication</span></dt><dd><p>
The authentication dialog box offers a check button <span class="guimenu">Remember
authorization</span>. If checked, the user has to authenticate
only once.
</p></dd></dl></div></div><div class="sect2" title="9.2.2. Explicit Privileges"><div class="titlepage"><div><div><h3 class="title"><a name="sec.security.policykit.policies.explicit"></a>9.2.2. Explicit Privileges<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.policykit.policies.explicit">¶</a></span></h3></div></div></div><p>
Explicit privileges can be granted to specific users. They can either be
granted without limitations, or, when using constraints, limited to an
active session and/or a local console.
</p><p>
It is not only possible to grant privileges to a user, a user can also
be blocked. Blocked users will not be able to carry out an action
requiring authorization, even though the default implicit policy allows
authorization by authentication.
</p></div></div><div class="sect1" title="9.3. Modifying and Setting Privileges"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.security.policykit.change"></a>9.3. Modifying and Setting Privileges<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.policykit.change">¶</a></span></h2></div></div></div><p>
To modify implicit privileges or to set explicit ones, you can either use
the graphical <span class="guimenu">System Policies</span> tool available in the
Advanced tab of the KDE System Settings, use the command line tools
shipped with PolicyKit, or modify the configuration files. While the GUI and
the command line tools are a good solution for making temporary changes,
editing the configuration files should be the preferred way to make
permanent changes.
</p><div class="note"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Note: The graphical GNOME Authorizations tool"><tr class="head"><td width="32"><img alt="[Note]" src="admon/note.png"></td><th align="left">The graphical GNOME <span class="guimenu">Authorizations</span> tool</th></tr><tr><td colspan="2" align="left" valign="top"><p>
The graphical <span class="guimenu">Authorizations</span> tool available with
GNOME is for the old PolicyKit. Better use the above mentioned tools.
</p></td></tr></table></div><div class="sect2" title="9.3.1. Using the Command Line Tools"><div class="titlepage"><div><div><h3 class="title"><a name="sec.security.policykit.change.cmd_tools"></a>9.3.1. Using the Command Line Tools<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.policykit.change.cmd_tools">¶</a></span></h3></div></div></div><p>
At the moment, there are two PolicyKit versions available in parallel with
openSUSE: the <span class="quote">“<span class="quote">old</span>”</span> <code class="systemitem">PolicyKit</code>
and the <span class="quote">“<span class="quote">new</span>”</span> <code class="systemitem">polkit</code> version
(polkit-1), which is a re-write of the old
<code class="systemitem">PolicyKit</code> version.
</p><div class="sect3" title="9.3.1.1. PolicyKit"><div class="titlepage"><div><div><h4 class="title"><a name="sec.security.policykit.change.cmd_tools.old"></a>9.3.1.1. <code class="systemitem">PolicyKit</code><span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.policykit.change.cmd_tools.old">¶</a></span></h4></div></div></div><p>
PolicyKit (<code class="systemitem">PolicyKit</code>) comes with two command line
tools for changing implicit privileges and for assigning explicit
privileges. Each existing policy has got a speaking, unique name with
which it can be identified and which is used with the command line
tools. List all available policies with the command
<span class="command"><strong>polkit-action</strong></span>.
</p><div class="variablelist"><dl><dt><span class="term"><span class="command"><strong>polkit-action</strong></span>
</span></dt><dd><p>
List and modify implicit privileges. Using this command you can also
reset all policies to the default value. When invoked with no
parameters, the command <span class="command"><strong>polkit-action</strong></span> shows a
list of all policies. See <span class="command"><strong>man 1 polkit-action</strong></span> for
more information.
</p></dd><dt><span class="term"><span class="command"><strong>polkit-auth</strong></span>
</span></dt><dd><p>
Inspect, grant, block and revoke explicit privileges. To print a
list of explicit privileges for a specific user, use the command
<span class="command"><strong>polkit-auth --explicit-detail --user
<em class="replaceable"><code>USER</code></em></strong></span> where
<em class="replaceable"><code>USER</code></em> has to be replaced by a valid
username. If the <code class="option">--user</code> option is left out,
privileges for the user executing the command are shown. See
<span class="command"><strong>man 1 polkit-auth</strong></span> for more information.
</p></dd></dl></div><div class="note"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Note: Restrictions of polkit-action on "><tr class="head"><td width="32"><img alt="[Note]" src="admon/note.png"></td><th align="left">Restrictions of <span class="command"><strong>polkit-action</strong></span> on openSUSE</th></tr><tr><td colspan="2" align="left" valign="top"><p>
Using the option <code class="option">--show-overrides</code>,
<span class="command"><strong>polkit-action</strong></span> lists all policies that differ from
the default values. With <code class="option">--reset-defaults
<em class="replaceable"><code>action</code></em></code> one can reset the
privileges for a given action to the defaults. However,
<span class="command"><strong>polkit-action</strong></span> always operates on the upstream
defaults, so it is not possible to list or restore the defaults
shipped with openSUSE. Refer to
<a class="xref" href="cha.security.policykit.html#sec.security.policykit.change.defaults" title="9.3.3. Restoring the Default Privileges">Section 9.3.3, “Restoring the Default Privileges”</a> for
further information.
</p></td></tr></table></div><p>
<a class="xref" href="cha.security.policykit.html#sec.security.policykit.change.modify_config" title="9.3.2. Modifying Configuration Files">Section 9.3.2, “Modifying Configuration Files”</a> and
<a class="xref" href="cha.security.policykit.html#sec.security.policykit.change.defaults" title="9.3.3. Restoring the Default Privileges">Section 9.3.3, “Restoring the Default Privileges”</a> apply for the
<span class="quote">“<span class="quote">old</span>”</span> <code class="systemitem">PolicyKit</code> only.
</p></div><div class="sect3" title="9.3.1.2. polkit"><div class="titlepage"><div><div><h4 class="title"><a name="sec.security.policykit.change.cmd_tools.polkit"></a>9.3.1.2. <code class="systemitem">polkit</code><span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.policykit.change.cmd_tools.polkit">¶</a></span></h4></div></div></div><p>
For more information about <code class="systemitem">polkit</code>, see
<a class="ulink" href="http://hal.freedesktop.org/docs/polkit/" target="_top">http://hal.freedesktop.org/docs/polkit/</a>.
</p></div></div><div class="sect2" title="9.3.2. Modifying Configuration Files"><div class="titlepage"><div><div><h3 class="title"><a name="sec.security.policykit.change.modify_config"></a>9.3.2. Modifying Configuration Files<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.policykit.change.modify_config">¶</a></span></h3></div></div></div><p>
Adjusting privileges by modifying configuration files is useful when you
want to deploy the same set of policies to different machines, for
example to the computers of a specific team. It is possible to change
implicit as well as explicit privileges by modifying configuration
files.
</p><div class="sect3" title="9.3.2.1. Modifying Configuration Files for Implicit Privileges"><div class="titlepage"><div><div><h4 class="title"><a name="sec.security.policykit.change.modify_config.implicit"></a>9.3.2.1. Modifying Configuration Files for Implicit Privileges<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.policykit.change.modify_config.implicit">¶</a></span></h4></div></div></div><p>
openSUSE ships with two sets of default authorizations located in
<code class="filename">/etc/polkit-default-privs.standard</code> and
<code class="filename">/etc/polkit-default-privs.restrictive</code>. The
<code class="filename">.standard</code> file defines privileges suitable for
most desktop systems.<span> It is active by
default.</span> The <code class="filename">.restrictive</code> set of
privileges is designed for machines administrated
centrally. Activate
it by setting <code class="literal">POLKIT_DEFAULT_PRIVS</code> to
<code class="literal">restrictive</code> in
<code class="filename">/etc/sysconfig/security</code> and run
<span class="command"><strong>set_polkit_default_privs</strong></span> as <code class="systemitem">root</code> afterwards.
Do not modify these two files.
</p><p>
In order to define your custom set of privileges, use
<code class="filename">/etc/polkit-default-privs.local</code>. Privileges
defined here will always take precedence over the ones defined in the
other configuration files. To define a privilege, add a line for each
policy with the following format:
</p><pre class="screen"><em class="replaceable"><code>privilege_name</code></em> <em class="replaceable"><code>any_session</code></em>:<em class="replaceable"><code>inactive_session</code></em>:<em class="replaceable"><code>active_session</code></em></pre><p>
For a list of all privilege names available, run the command
<span class="command"><strong>polkit-action</strong></span>. The following values are valid for
the session parameters:
</p><div class="variablelist"><dl><dt><span class="term"><code class="literal">yes</code>
</span></dt><dd><p>
grant privilege
</p></dd><dt><span class="term"><code class="literal">no</code>
</span></dt><dd><p>
block
</p></dd><dt><span class="term"><code class="literal">auth_self</code>
</span></dt><dd><p>
user needs to authenticate with own password every time the
privilege is requested
</p></dd><dt><span class="term"><code class="literal">auth_self_keep_session</code>
</span></dt><dd><p>
user needs to authenticate with own password once per session,
privilege is granted for the whole session
</p></dd><dt><span class="term"><code class="literal">auth_self_keep_always</code>
</span></dt><dd><p>
user needs to authenticate with own password once, privilege is
granted for the current and for future sessions
</p></dd><dt><span class="term"><code class="literal">auth_admin</code>
</span></dt><dd><p>
user needs to authenticate with <code class="systemitem">root</code> password every time the
privilege is requested
</p></dd><dt><span class="term"><code class="literal">auth_admin_keep_session</code>
</span></dt><dd><p>
user needs to authenticate with <code class="systemitem">root</code> password once per
session, privilege is granted for the whole session
</p></dd><dt><span class="term"><code class="literal">auth_admin_keep_always</code>
</span></dt><dd><p>
user needs to authenticate with <code class="systemitem">root</code> password once, privilege
is granted for the current and for future sessions
</p></dd></dl></div><p>
Run <span class="command"><strong>set_polkit_default_privs</strong></span> to activate your
settings.
</p></div><div class="sect3" title="9.3.2.2. Modifying Configuration Files for Explicit Privileges"><div class="titlepage"><div><div><h4 class="title"><a name="sec.security.policykit.change.modify_config.explicit"></a>9.3.2.2. Modifying Configuration Files for Explicit Privileges<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.policykit.change.modify_config.explicit">¶</a></span></h4></div></div></div><p>
Explicit privileges can be set in
<code class="filename">/etc/PolicyKit/PolicyKit.conf</code>. This configuration
file is written in XML using the PolicyKit DTD. The file that is shipped
with openSUSE already contains the necessary headers and the root
element <code class="literal"><config></code>. Place your edits inside the
<code class="literal"><config></code> tags.
</p><div class="variablelist"><dl><dt><span class="term"><code class="literal">match</code>
</span></dt><dd><p>
Specify an action or a user. <code class="literal">match</code> knows two
attributes, <code class="literal">user</code> and <code class="literal">action</code>,
but only a single attribute is allowed. Use nested
<code class="literal">match</code> statements to combine attributes. POSIX
Extended Regular Expressions are allowed as attribute values.
</p><div class="variablelist"><dl><dt><span class="term"><code class="literal">user=<em class="replaceable"><code>USER</code></em></code>
</span></dt><dd><p>
Specify one or more login names. Separate multiple names by the
<span class="quote">“<span class="quote">|</span>”</span> symbol.
</p></dd><dt><span class="term"><code class="literal">action=<em class="replaceable"><code>policy</code></em></code>
</span></dt><dd><p>
Specify a policy by it's unique identifier. To get a list of all
available policy identifiers use the command
<span class="command"><strong>polkit-action</strong></span>.
</p></dd></dl></div></dd><dt><span class="term"><code class="literal">return</code>
</span></dt><dd><p>
Specify the answer PolicyKit will return. Takes a single attribute,
<code class="literal">result=<em class="replaceable"><code>value</code></em></code> with one
of the values listed under
<a class="xref" href="cha.security.policykit.html#sec.security.policykit.change.modify_config.implicit" title="9.3.2.1. Modifying Configuration Files for Implicit Privileges">Section 9.3.2.1, “Modifying Configuration Files for Implicit Privileges”</a>.
</p></dd><dt><span class="term"><code class="literal">define_admin_auth</code>
</span></dt><dd><p>
Specify users or groups allowed to authorize with their own password
where normally the <code class="systemitem">root</code> password would be required. Takes the
attributes <code class="literal">user=<em class="replaceable"><code>USER</code></em></code>
or <code class="literal">group=<em class="replaceable"><code>GROUP</code></em></code>, but
only one may be used at a time. Multiple attribute values must be
separated by <span class="quote">“<span class="quote">|</span>”</span>, Extended POSIX Regular Expressions
are not supported. Applies to all policies when used at the top
level, or to specific policies when used within
<code class="literal"><match></code> statements.
</p></dd></dl></div><div class="example"><a name="ex.policykit.change.modify_config.explicit"></a><p class="title"><b>Example 9.1. An example <code class="filename">/etc/PolicyKit/PolicyKit.conf</code> file</b><span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#ex.policykit.change.modify_config.explicit">¶</a></span></p><div class="example-contents"><pre class="screen"><?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkconfig PUBLIC "-//freedesktop//DTD PolicyKit Configuration 1.0//EN"
"http://hal.freedesktop.org/releases/PolicyKit/1.0/config.dtd"><a name="polkit_conf.header"></a><img src="callouts/1.png" alt="1" border="0">
<config version="0.1"><a name="polkit_conf.config"></a><img src="callouts/2.png" alt="2" border="0">
<match action="org.freedesktop.packagekit.system-update"><a name="polkit_conf.ex1"></a><img src="callouts/3.png" alt="3" border="0">
<match user="tux">
<return result="yes"/>
</match>
</match>
<match action="org.freedesktop.policykit.*"><a name="polkit_conf.ex2"></a><img src="callouts/4.png" alt="4" border="0">
<match user="tux|wilber">
<return result="no"/>
</match>
</match>
<define_admin_auth group="administrators"/><a name="polkit_conf.admin_auth_group"></a><img src="callouts/5.png" alt="5" border="0">
</config></pre><div class="calloutlist"><table border="0" summary="Callout list"><tr><td width="5%" valign="top" align="left"><p><a href="#polkit_conf.header"><img src="callouts/1.png" alt="1" border="0"></a> </p></td><td valign="top" align="left"><p>
The first three lines of the config file are the XML header. These
lines are already present in the template file, leave them
untouched.
</p></td></tr><tr><td width="5%" valign="top" align="left"><p><a href="#polkit_conf.config"><img src="callouts/2.png" alt="2" border="0"></a> </p></td><td valign="top" align="left"><p>
The XML root element must always be present. The attribute
<code class="literal">version</code> is mandatory, currently the only valid
value is <code class="literal">0.1</code>. Already present in the template
file.
</p></td></tr><tr><td width="5%" valign="top" align="left"><p><a href="#polkit_conf.ex1"><img src="callouts/3.png" alt="3" border="0"></a> </p></td><td valign="top" align="left"><p>
A statement granting the user tux the privilege to update
packages via PackageKit without having to authorize.
</p></td></tr><tr><td width="5%" valign="top" align="left"><p><a href="#polkit_conf.ex2"><img src="callouts/4.png" alt="4" border="0"></a> </p></td><td valign="top" align="left"><p>
Withdraw privileges for all PolicyKit related policies from the users
tux and wilber.
</p></td></tr><tr><td width="5%" valign="top" align="left"><p><a href="#polkit_conf.admin_auth_group"><img src="callouts/5.png" alt="5" border="0"></a> </p></td><td valign="top" align="left"><p>
This statement allows all members of the group
<code class="systemitem">administrators</code> to authenticate with their
own password whenever authentication with the <code class="systemitem">root</code> password
would be required. Since this statement is not nested within
constraining match statements, it applies to all policies.
</p></td></tr></table></div></div></div><br class="example-break"></div></div><div class="sect2" title="9.3.3. Restoring the Default Privileges"><div class="titlepage"><div><div><h3 class="title"><a name="sec.security.policykit.change.defaults"></a>9.3.3. Restoring the Default Privileges<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.policykit.change.defaults">¶</a></span></h3></div></div></div><p>
Each application supporting PolicyKit comes with a default set of implicit
policies defined by the application's developers, the so-called
<span class="quote">“<span class="quote">upstream defaults</span>”</span>. The privileges defined by the upstream
defaults are not necessarily the ones that are activated by default on
openSUSE. openSUSE comes with a predefined set of privileges
(see
<a class="xref" href="cha.security.policykit.html#sec.security.policykit.change.modify_config.implicit" title="9.3.2.1. Modifying Configuration Files for Implicit Privileges">Section 9.3.2.1, “Modifying Configuration Files for Implicit Privileges”</a>
for more information) that is activated by default, overriding the
upstream defaults.
</p><p>
Since the Authorization tool and the PolicyKit command line utilities always
operate on the upstream defaults, openSUSE comes with the
command-line tool <span class="command"><strong>set_polkit_default_privs</strong></span> that
resets privileges to the values defined in
<code class="filename">/etc/polkit-default-privs.*</code>. However,
<span class="command"><strong>set_polkit_default_privs</strong></span> will only reset policies
that are set to the upstream defaults. To reset all policies to the
upstream defaults first and then apply the openSUSE defaults, run
the following command:
</p><pre class="screen">rm -f /var/lib/PolicyKit-public/* && set_polkit_default_privs</pre><div class="important"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Important: /etc/polkit-default-privs.local"><tr class="head"><td width="32"><img alt="[Important]" src="admon/important.png"></td><th align="left"><code class="filename">/etc/polkit-default-privs.local</code></th></tr><tr><td colspan="2" align="left" valign="top"><p>
In order to apply the openSUSE defaults, make sure
<code class="filename">/etc/polkit-default-privs.local</code> does not contain
any overrides, otherwise these will be applied on top of the defaults
when running <span class="command"><strong>set_polkit_default_privs</strong></span>.
</p></td></tr></table></div></div></div><div class="sect1" title="9.4. For more information"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id583618"></a>9.4. For more information<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#id583618">¶</a></span></h2></div></div></div><table border="0" summary="Simple list" class="simplelist"><tr><td><code class="systemitem">PolicyKit</code>: <a class="ulink" href="http://hal.freedesktop.org/docs/PolicyKit/" target="_top">http://hal.freedesktop.org/docs/PolicyKit/</a>
</td></tr><tr><td><code class="systemitem">polkit</code>: <a class="ulink" href="http://hal.freedesktop.org/docs/polkit/" target="_top">http://hal.freedesktop.org/docs/polkit/</a>
</td></tr></table></div></div><div class="navfooter"><table width="100%" summary="Navigation footer" border="0" class="bctable"><tr><td width="80%"><div class="breadcrumbs"><p><a href="index.html"> Documentation</a><span class="breadcrumbs-sep"> > </span><a href="book.security.html">Security Guide</a><span class="breadcrumbs-sep"> > </span><a href="part.local_security.html">Local Security</a><span class="breadcrumbs-sep"> > </span><strong><a accesskey="p" title="Chapter 8. Configuring Security Settings with YaST" href="cha.security.yast_security.html"><span>◀</span></a> <a accesskey="n" title="Chapter 10. Access Control Lists in Linux" href="cha.security.acls.html"><span>▶</span></a></strong></p></div></td></tr></table></div></body></html>
ACC SHELL 2018