Skip to content
GitLab
  • Menu
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • P polkit
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 117
    • Issues 117
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 16
    • Merge requests 16
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • polkit
  • polkit
  • Issues
  • #131
Closed
Open
Created Nov 13, 2020 by Hugo@WhyNotHugo

Polkit does not properly acknowledge that I belong to the `wheel` group

Out of the box, when applications require elevated privileges, they ask for a root password (which is often undefined on desktops).

I'd like to change this to ask for my own user password (which does exist). I tried the following rule:

polkit.addRule(function(action, subject) {
   if (subject.isInGroup("wheel")) {
     return polkit.Result.AUTH_SELF;
   }
});

However, this seems to break other things on my system. Noticeably, applications that normally run fine (like sway, stops working: it seems it cannot grab the input devices it requires).

It's my impression that my above rule is overriding all actions to ask for a password -- even those that return Result.YES by default.

How can I make polkit ask for my password only for actions that would have been refused, but not affect those that are already allowed?


Update: I also asked about this on #archlinux on freenode. It was pointed out to me that the default behaviour of polkit should be to ask me for my user's password. However, that's not the case:

$ pkttyagent -p $(echo $$) | pkexec whoami
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ====
Authentication is needed to run `/usr/bin/whoami' as the super user
Authenticating as: root
Password:

I also have no custom rules aside from one I use for testing:

polkit.addRule(function(action, subject) {
    polkit.log("action=" + action);
    polkit.log("subject=" + subject);
});

This is what the above rule logs when attempting to run pkttyagent -p $(echo $$) | pkexec whoami:

Nov 13 13:32:41 victory polkitd[678]: Registered Authentication Agent for unix-process:2961:53452 (system bus name :1.524 [pkttyagent -p 2961], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_GB.UTF-8)
Nov 13 13:32:41 victory polkitd[678]: <no filename>:2: action=[Action id='org.freedesktop.policykit.exec' program='/usr/bin/whoami' user.display='root' command_line='/usr/bin/whoami' user='root' polkit.message='Authentication is needed to run `$(program)' as the super user' polkit.gettext_domain='polkit-1' user.gecos='']
Nov 13 13:32:41 victory polkitd[678]: <no filename>:3: subject=[Subject pid=2961 user='hugo' groups=wheel,lp,video,docker,plugdev seat='seat0' session='1' local=true active=true]

Also relevant:

# cat /usr/share/polkit-1/rules.d/50-default.rules
polkit.addAdminRule(function(action, subject) {
    return ["unix-group:wheel"];
});

$ id
uid=1000(hugo) gid=998(wheel) groups=998(wheel),973(plugdev),979(docker),986(video),991(lp)

$ groups
plugdev docker video lp wheel

The docs also seem to indicate that if not root password is set, I should be prompted for my own password. This is also not the case:

# grep root /etc/shadow
root:*:14871::::::
Edited Nov 13, 2020 by Hugo
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking