Commit 785a63bc authored by David Zeuthen's avatar David Zeuthen
Browse files

fix up permissions / docs for certain helpers and files/directories

Also document in README why the various permissions/modes are
used. Thanks to Michael Biebl <> for pointing this
parent 15ae6e6a
PolicyKit is a framework for defining policy for system-wide components and
for desktop pieces to configure it. It is used by HAL.
PolicyKit is an authorization framework. It is typically used by
privileged user space daemons to control access.
See also the file HACKING for notes of interest to developers working
See also the file HACKING for notes of interest to developers working
on PolicyKit.
See for lots of documentation,
See for lots of documentation,
mailing lists, etc.
Rationale for permissions/modes for the default backend
0770 root:polkituser /var/run/PolicyKit
0770 root:polkituser /var/lib/PolicyKit
We store authorizations for each user here. Since we don't want users
to know what authorizations other users has, no one can read these
files. However, when checking authorizations we need to be able to
read from here; we use this helper
2755 root:polkituser /usr/libexec/polkit-read-auth-helper
which can read from here since it's setgid 'polkituser'. This helper
will refuse to return authorizations for other users than the calling
user except if the calling user is authorized for
We also want to be able to grant authorizations through authentication.
That happens with this helper
2755 root:polkituser /usr/libexec/polkit-grant-helper
This program is setgid 'polkituser' so it can write files in
/var/{run,lib}/PolicyKit. Note that these files are created with mode
To do the actual authentication check when granting authorizations
through authentication, polkit-grant-helper uses another helper
4754 root:polkituser /usr/libexec/polkit-grant-helper-pam
This one is setuid root because checking authentications might need
require that (you may be checking the root password). The reason
polkit-grant-helper-pam is is owned by group 'polkituser' is to ensure
that random users can't execute it; only setgid 'polkituser' programs
can do this. Which polkit-grant-helper is.
On to
2755 root:polkituser /libexec/polkit-revoke-helper
This one is used to revoke authorizations. It will only allow uid 0 and
users with the authorization to do so. It needs to be
setgid polkituser to be able to modify authorization files
in /var/{run,lib}/PolicyKit.
2755 root:polkituser /usr/libexec/polkit-explicit-grant-helper
Same story as for polkit-revoke-helper only this grants authorizations.
Only allowed for uid 0 and users with the authorization.
On to
0755 polkituser:root /var/lib/PolicyKit-public
This is where we store modifications to the defaults. Anyone should be
able to read these files. They are created with mode 644. These files
are written / modified by this helper
4755 polkituser:root /usr/libexec/polkit-set-default-helper
which is setuid polkituser to be able to write/modify files.
On to
4755 root:root /usr/libexec/polkit-resolve-exe-helper
This is used to find the executable name for a process. On Linux this is
the /proc/<pid>/exe symlink and you can only do this for processes you
own. This helper finds the executable name for processes not owned by
you but only if you have the authorization. This is
important to let e.g. user 'haldaemon' check authorizations for a user
requesting service.
0664 polkituser:polkituser /var/lib/misc/PolicyKit.reload
This file is used by libpolkit to detect when something has changed
(authorizations granted/revoked, defaults changed etc.). It is
writable by both user 'polkituser' and group 'polkituser' because we
have helpers running with both euid 'polkituser' and egid 'polkituser'
that wants to trigger a reload.
dnl Process this file with autoconf to produce a configure script.
AC_INIT(PolicyKit, 0.8,
AM_INIT_AUTOMAKE(PolicyKit, 0.8)
AC_INIT(PolicyKit, 0.9,
AM_INIT_AUTOMAKE(PolicyKit, 0.9)
......@@ -644,11 +644,11 @@ if test "${POLKIT_AUTHDB}" = default ; then
echo "NOTE: The directories ${localstatedir}/run/PolicyKit and ${localstatedir}/lib/PolicyKit will be"
echo " owned by group ${POLKIT_GROUP} and will be mode 770."
echo "NOTE: The directory ${localstatedir}/run/PolicyKit-public will be"
echo "NOTE: The directory ${localstatedir}/lib/PolicyKit-public will be"
echo " owned by user ${POLKIT_USER} and will be mode 755."
echo "NOTE: The file ${localstatedir}/lib/misc/PolicyKit.reload will be"
echo " owned by user ${POLKIT_USER} and group ${POLKIT_GROUP} and will be mode 775."
echo " owned by user ${POLKIT_USER} and group ${POLKIT_GROUP} and will be mode 664."
echo "NOTE: ${libexecdir}/polkit-set-default-helper will be owned by"
echo " user ${POLKIT_USER} and installed with mode 4755 (setuid binary)."
......@@ -667,11 +667,13 @@ if test "${POLKIT_AUTHDB}" = default ; then
echo "NOTE: ${libexecdir}/polkit-grant-helper-pam will be owned by group"
echo " ${POLKIT_GROUP} and installed with mode 4754 (setuid root binary)."
echo "NOTE: ${libexecdir}/polkit-resolve-exe-helper will be installed with"
echo " mode 4755 (setuid root binary)."
echo "NOTE: For packaging, remember to retain the modes and ownership."
echo "See the README file for the rationale for these modes/permissions."
......@@ -143,7 +143,7 @@ install-data-local:
mkdir -p $(DESTDIR)$(localstatedir)/lib/misc
touch $(DESTDIR)$(localstatedir)/lib/misc/PolicyKit.reload
-chown $(POLKIT_USER):$(POLKIT_GROUP) $(DESTDIR)$(localstatedir)/lib/misc/PolicyKit.reload
-chmod 775 $(DESTDIR)$(localstatedir)/lib/misc/PolicyKit.reload
-chmod 664 $(DESTDIR)$(localstatedir)/lib/misc/PolicyKit.reload
mkdir -p $(DESTDIR)$(localstatedir)/lib/PolicyKit-public
mkdir -p $(DESTDIR)$(localstatedir)/lib/PolicyKit
mkdir -p $(DESTDIR)$(localstatedir)/run/PolicyKit
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment