Polkit does not properly acknowledge that I belong to the `wheel` group
Out of the box, when applications require elevated privileges, they ask for a root
password (which is often undefined on desktops).
I'd like to change this to ask for my own user password (which does exist). I tried the following rule:
polkit.addRule(function(action, subject) {
if (subject.isInGroup("wheel")) {
return polkit.Result.AUTH_SELF;
}
});
However, this seems to break other things on my system. Noticeably, applications that normally run fine (like sway
, stops working: it seems it cannot grab the input devices it requires).
It's my impression that my above rule is overriding all actions to ask for a password -- even those that return Result.YES
by default.
How can I make polkit ask for my password only for actions that would have been refused, but not affect those that are already allowed?
Update: I also asked about this on #archlinux on freenode. It was pointed out to me that the default behaviour of polkit should be to ask me for my user's password. However, that's not the case:
$ pkttyagent -p $(echo $$) | pkexec whoami
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ====
Authentication is needed to run `/usr/bin/whoami' as the super user
Authenticating as: root
Password:
I also have no custom rules aside from one I use for testing:
polkit.addRule(function(action, subject) {
polkit.log("action=" + action);
polkit.log("subject=" + subject);
});
This is what the above rule logs when attempting to run pkttyagent -p $(echo $$) | pkexec whoami
:
Nov 13 13:32:41 victory polkitd[678]: Registered Authentication Agent for unix-process:2961:53452 (system bus name :1.524 [pkttyagent -p 2961], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_GB.UTF-8)
Nov 13 13:32:41 victory polkitd[678]: <no filename>:2: action=[Action id='org.freedesktop.policykit.exec' program='/usr/bin/whoami' user.display='root' command_line='/usr/bin/whoami' user='root' polkit.message='Authentication is needed to run `$(program)' as the super user' polkit.gettext_domain='polkit-1' user.gecos='']
Nov 13 13:32:41 victory polkitd[678]: <no filename>:3: subject=[Subject pid=2961 user='hugo' groups=wheel,lp,video,docker,plugdev seat='seat0' session='1' local=true active=true]
Also relevant:
# cat /usr/share/polkit-1/rules.d/50-default.rules
polkit.addAdminRule(function(action, subject) {
return ["unix-group:wheel"];
});
$ id
uid=1000(hugo) gid=998(wheel) groups=998(wheel),973(plugdev),979(docker),986(video),991(lp)
$ groups
plugdev docker video lp wheel
The docs also seem to indicate that if not root password is set, I should be prompted for my own password. This is also not the case:
# grep root /etc/shadow
root:*:14871::::::