Skip to content

GitLab

Open
Created by Hugo Osvaldo Barrera@WhyNotHugo

Polkit does not properly acknowledge that I belong to the `wheel` group

Out of the box, when applications require elevated privileges, they ask for a root password (which is often undefined on desktops).

I'd like to change this to ask for my own user password (which does exist). I tried the following rule:

polkit.addRule(function(action, subject) {
   if (subject.isInGroup("wheel")) {
     return polkit.Result.AUTH_SELF;
   }
});

However, this seems to break other things on my system. Noticeably, applications that normally run fine (like sway, stops working: it seems it cannot grab the input devices it requires).

It's my impression that my above rule is overriding all actions to ask for a password -- even those that return Result.YES by default.

How can I make polkit ask for my password only for actions that would have been refused, but not affect those that are already allowed?

Update: I also asked about this on #archlinux on freenode. It was pointed out to me that the default behaviour of polkit should be to ask me for my user's password. However, that's not the case:

$ pkttyagent -p $(echo $$) | pkexec whoami
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ====
Authentication is needed to run `/usr/bin/whoami' as the super user
Authenticating as: root
Password:

I also have no custom rules aside from one I use for testing:

polkit.addRule(function(action, subject) {
    polkit.log("action=" + action);
    polkit.log("subject=" + subject);
});

This is what the above rule logs when attempting to run pkttyagent -p $(echo $$) | pkexec whoami:

Nov 13 13:32:41 victory polkitd[678]: Registered Authentication Agent for unix-process:2961:53452 (system bus name :1.524 [pkttyagent -p 2961], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_GB.UTF-8)
Nov 13 13:32:41 victory polkitd[678]: <no filename>:2: action=[Action id='org.freedesktop.policykit.exec' program='/usr/bin/whoami' user.display='root' command_line='/usr/bin/whoami' user='root' polkit.message='Authentication is needed to run `$(program)' as the super user' polkit.gettext_domain='polkit-1' user.gecos='']
Nov 13 13:32:41 victory polkitd[678]: <no filename>:3: subject=[Subject pid=2961 user='hugo' groups=wheel,lp,video,docker,plugdev seat='seat0' session='1' local=true active=true]

Also relevant:

# cat /usr/share/polkit-1/rules.d/50-default.rules
polkit.addAdminRule(function(action, subject) {
    return ["unix-group:wheel"];
});

$ id
uid=1000(hugo) gid=998(wheel) groups=998(wheel),973(plugdev),979(docker),986(video),991(lp)

$ groups
plugdev docker video lp wheel

The docs also seem to indicate that if not root password is set, I should be prompted for my own password. This is also not the case:

# grep root /etc/shadow
root:*:14871::::::
Edited by Hugo Osvaldo Barrera
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information