RFE: pk-list-auths: PoC tool to list authorizations and their status for current or specified PID
I would like to present a PoC tool which lists the available authorizations and their status for the current PID (for instance the PID of the shell the command was run from) or a specified PID of another process.
Example output for current PID (logged in as regular user, running from a terminal):
$ pk-list-auths
Available polkit actions for process 14015 (bash):
Authorized:
org.a11y.brlapi.write-display
org.freedesktop.Flatpak.app-install
org.freedesktop.Flatpak.app-uninstall
org.freedesktop.Flatpak.app-update
org.freedesktop.Flatpak.appstream-update
org.freedesktop.Flatpak.metadata-update
org.freedesktop.Flatpak.modify-repo
org.freedesktop.Flatpak.runtime-install
org.freedesktop.Flatpak.runtime-uninstall
org.freedesktop.Flatpak.runtime-update
org.freedesktop.Flatpak.update-remote
org.freedesktop.NetworkManager.enable-disable-connectivity-check
org.freedesktop.NetworkManager.enable-disable-network
org.freedesktop.NetworkManager.enable-disable-statistics
org.freedesktop.NetworkManager.enable-disable-wifi
org.freedesktop.NetworkManager.enable-disable-wimax
org.freedesktop.NetworkManager.enable-disable-wwan
org.freedesktop.NetworkManager.network-control
org.freedesktop.NetworkManager.settings.modify.own
org.freedesktop.NetworkManager.settings.modify.system
org.freedesktop.NetworkManager.wifi.scan
org.freedesktop.NetworkManager.wifi.share.open
org.freedesktop.NetworkManager.wifi.share.protected
org.freedesktop.consolekit.system.hibernate
org.freedesktop.consolekit.system.hybridsleep
org.freedesktop.consolekit.system.restart
org.freedesktop.consolekit.system.stop
org.freedesktop.consolekit.system.suspend
org.freedesktop.udisks2.ata-check-power
org.freedesktop.udisks2.ata-smart-update
org.freedesktop.udisks2.ata-standby
org.freedesktop.udisks2.cancel-job
org.freedesktop.udisks2.eject-media
org.freedesktop.udisks2.encrypted-change-passphrase
org.freedesktop.udisks2.encrypted-unlock
org.freedesktop.udisks2.filesystem-mount
org.freedesktop.udisks2.loop-setup
org.freedesktop.udisks2.modify-device
org.freedesktop.udisks2.power-off-drive
org.freedesktop.udisks2.rescan
org.libvirt.api.connect.getattr
org.libvirt.api.connect.read
org.libvirt.api.connect.search-domains
org.libvirt.api.connect.search-interfaces
org.libvirt.api.connect.search-networks
org.libvirt.api.connect.search-node-devices
org.libvirt.api.connect.search-nwfilter-bindings
org.libvirt.api.connect.search-nwfilters
org.libvirt.api.connect.search-secrets
org.libvirt.api.connect.search-storage-pools
org.libvirt.api.domain.getattr
org.libvirt.api.domain.read
org.libvirt.api.interface.getattr
org.libvirt.api.interface.read
org.libvirt.api.network.getattr
org.libvirt.api.network.read
org.libvirt.api.node-device.getattr
org.libvirt.api.nwfilter-binding.getattr
org.libvirt.api.nwfilter-binding.read
org.libvirt.api.nwfilter.getattr
org.libvirt.api.nwfilter.read
org.libvirt.api.secret.getattr
org.libvirt.api.secret.read
org.libvirt.api.storage-pool.getattr
org.libvirt.api.storage-pool.read
org.libvirt.api.storage-vol.getattr
org.libvirt.api.storage-vol.read
org.libvirt.unix.monitor
org.spice-space.lowlevelusbaccess
org.x.xf86-video-intel.backlight-helper
Not authorized:
org.freedesktop.NetworkManager.sleep-wake
org.libvirt.api.connect.detect-storage-pools
org.libvirt.api.connect.interface-transaction
org.libvirt.api.connect.pm-control
org.libvirt.api.connect.write
org.libvirt.api.domain.block-read
org.libvirt.api.domain.block-write
org.libvirt.api.domain.core-dump
org.libvirt.api.domain.delete
org.libvirt.api.domain.fs-freeze
org.libvirt.api.domain.fs-trim
org.libvirt.api.domain.hibernate
org.libvirt.api.domain.init-control
org.libvirt.api.domain.inject-nmi
org.libvirt.api.domain.mem-read
org.libvirt.api.domain.migrate
org.libvirt.api.domain.open-device
org.libvirt.api.domain.open-graphics
org.libvirt.api.domain.open-namespace
org.libvirt.api.domain.pm-control
org.libvirt.api.domain.read-secure
org.libvirt.api.domain.reset
org.libvirt.api.domain.save
org.libvirt.api.domain.screenshot
org.libvirt.api.domain.send-input
org.libvirt.api.domain.send-signal
org.libvirt.api.domain.set-password
org.libvirt.api.domain.set-time
org.libvirt.api.domain.snapshot
org.libvirt.api.domain.start
org.libvirt.api.domain.stop
org.libvirt.api.domain.suspend
org.libvirt.api.domain.write
org.libvirt.api.interface.delete
org.libvirt.api.interface.save
org.libvirt.api.interface.start
org.libvirt.api.interface.stop
org.libvirt.api.interface.write
org.libvirt.api.network.delete
org.libvirt.api.network.save
org.libvirt.api.network.start
org.libvirt.api.network.stop
org.libvirt.api.network.write
org.libvirt.api.node-device.detach
org.libvirt.api.node-device.read
org.libvirt.api.node-device.start
org.libvirt.api.node-device.stop
org.libvirt.api.node-device.write
org.libvirt.api.nwfilter-binding.create
org.libvirt.api.nwfilter-binding.delete
org.libvirt.api.nwfilter.delete
org.libvirt.api.nwfilter.save
org.libvirt.api.nwfilter.write
org.libvirt.api.secret.delete
org.libvirt.api.secret.read-secure
org.libvirt.api.secret.save
org.libvirt.api.secret.write
org.libvirt.api.storage-pool.delete
org.libvirt.api.storage-pool.format
org.libvirt.api.storage-pool.refresh
org.libvirt.api.storage-pool.save
org.libvirt.api.storage-pool.search-storage-vols
org.libvirt.api.storage-pool.start
org.libvirt.api.storage-pool.stop
org.libvirt.api.storage-pool.write
org.libvirt.api.storage-vol.create
org.libvirt.api.storage-vol.data-read
org.libvirt.api.storage-vol.data-write
org.libvirt.api.storage-vol.delete
org.libvirt.api.storage-vol.format
org.libvirt.api.storage-vol.resize
Authentication required:
com.mesonbuild.install.run (polkit.retains_authorization_after_challenge=1)
com.ubuntu.pkexec.gufw
net.connman.modify (polkit.retains_authorization_after_challenge=1)
net.connman.secret (polkit.retains_authorization_after_challenge=1)
org.dpkg.pkexec.update-alternatives (polkit.retains_authorization_after_challenge=1)
org.freedesktop.Flatpak.configure (polkit.retains_authorization_after_challenge=1)
org.freedesktop.Flatpak.configure-remote (polkit.retains_authorization_after_challenge=1)
org.freedesktop.Flatpak.install-bundle (polkit.retains_authorization_after_challenge=1)
org.freedesktop.NetworkManager.checkpoint-rollback (polkit.retains_authorization_after_challenge=1)
org.freedesktop.NetworkManager.reload (polkit.retains_authorization_after_challenge=1)
org.freedesktop.NetworkManager.settings.modify.global-dns (polkit.retains_authorization_after_challenge=1)
org.freedesktop.NetworkManager.settings.modify.hostname (polkit.retains_authorization_after_challenge=1)
org.freedesktop.consolekit.system.hibernate-multiple-users (polkit.retains_authorization_after_challenge=1)
org.freedesktop.consolekit.system.hybridsleep-multiple-users (polkit.retains_authorization_after_challenge=1)
org.freedesktop.consolekit.system.restart-multiple-users (polkit.retains_authorization_after_challenge=1)
org.freedesktop.consolekit.system.stop-multiple-users (polkit.retains_authorization_after_challenge=1)
org.freedesktop.consolekit.system.suspend-multiple-users (polkit.retains_authorization_after_challenge=1)
org.freedesktop.policykit.example.pkexec.run-frobnicate (polkit.retains_authorization_after_challenge=1)
org.freedesktop.policykit.exec
org.freedesktop.udisks2.ata-secure-erase (polkit.retains_authorization_after_challenge=1)
org.freedesktop.udisks2.ata-smart-enable-disable (polkit.retains_authorization_after_challenge=1)
org.freedesktop.udisks2.ata-smart-selftest (polkit.retains_authorization_after_challenge=1)
org.freedesktop.udisks2.ata-smart-simulate (polkit.retains_authorization_after_challenge=1)
org.freedesktop.udisks2.ata-standby-other-seat (polkit.retains_authorization_after_challenge=1)
org.freedesktop.udisks2.ata-standby-system (polkit.retains_authorization_after_challenge=1)
org.freedesktop.udisks2.btrfs.manage-btrfs (polkit.retains_authorization_after_challenge=1)
org.freedesktop.udisks2.cancel-job-other-user (polkit.retains_authorization_after_challenge=1)
org.freedesktop.udisks2.eject-media-other-seat (polkit.retains_authorization_after_challenge=1)
org.freedesktop.udisks2.eject-media-system (polkit.retains_authorization_after_challenge=1)
org.freedesktop.udisks2.encrypted-change-passphrase-system (polkit.retains_authorization_after_challenge=1)
org.freedesktop.udisks2.encrypted-lock-others (polkit.retains_authorization_after_challenge=1)
org.freedesktop.udisks2.encrypted-unlock-crypttab (polkit.retains_authorization_after_challenge=1)
org.freedesktop.udisks2.encrypted-unlock-other-seat (polkit.retains_authorization_after_challenge=1)
org.freedesktop.udisks2.encrypted-unlock-system (polkit.retains_authorization_after_challenge=1)
org.freedesktop.udisks2.filesystem-fstab (polkit.retains_authorization_after_challenge=1)
org.freedesktop.udisks2.filesystem-mount-other-seat (polkit.retains_authorization_after_challenge=1)
org.freedesktop.udisks2.filesystem-mount-system (polkit.retains_authorization_after_challenge=1)
org.freedesktop.udisks2.filesystem-take-ownership (polkit.retains_authorization_after_challenge=1)
org.freedesktop.udisks2.filesystem-unmount-others (polkit.retains_authorization_after_challenge=1)
org.freedesktop.udisks2.loop-delete-others (polkit.retains_authorization_after_challenge=1)
org.freedesktop.udisks2.loop-modify-others (polkit.retains_authorization_after_challenge=1)
org.freedesktop.udisks2.lvm2.manage-lvm (polkit.retains_authorization_after_challenge=1)
org.freedesktop.udisks2.manage-md-raid (polkit.retains_authorization_after_challenge=1)
org.freedesktop.udisks2.manage-swapspace (polkit.retains_authorization_after_challenge=1)
org.freedesktop.udisks2.modify-device-other-seat (polkit.retains_authorization_after_challenge=1)
org.freedesktop.udisks2.modify-device-system (polkit.retains_authorization_after_challenge=1)
org.freedesktop.udisks2.modify-drive-settings (polkit.retains_authorization_after_challenge=1)
org.freedesktop.udisks2.modify-system-configuration
org.freedesktop.udisks2.open-device (polkit.retains_authorization_after_challenge=1)
org.freedesktop.udisks2.open-device-system (polkit.retains_authorization_after_challenge=1)
org.freedesktop.udisks2.power-off-drive-other-seat (polkit.retains_authorization_after_challenge=1)
org.freedesktop.udisks2.power-off-drive-system (polkit.retains_authorization_after_challenge=1)
org.freedesktop.udisks2.read-system-configuration-secrets
org.freedesktop.udisks2.zram.manage-zram (polkit.retains_authorization_after_challenge=1)
org.gnome.gconf.defaults.set-mandatory
org.gnome.gconf.defaults.set-system
org.gnome.sysprof2.get-kernel-symbols (polkit.retains_authorization_after_challenge=1)
org.gnome.sysprof2.perf-event-open (polkit.retains_authorization_after_challenge=1)
org.gsmartcontrol
org.libvirt.unix.manage (polkit.retains_authorization_after_challenge=1)
org.void.pkexec.gparted
org.xfce.thunar
Example output for a specified PID (here a process which should have only very modest set of authorizations, note the need to run the tool as root to have permission to access the information):
$ pk-list-auths $(pidof chronyd)
Available polkit actions for process 765 (chronyd):
Error during authorization check:
[...]
# pk-list-auths $(pidof chronyd)
Available polkit actions for process 777 (chronyd):
Authorized:
org.libvirt.api.connect.getattr
org.libvirt.api.connect.read
org.libvirt.api.connect.search-domains
org.libvirt.api.connect.search-interfaces
org.libvirt.api.connect.search-networks
org.libvirt.api.connect.search-node-devices
org.libvirt.api.connect.search-nwfilter-bindings
org.libvirt.api.connect.search-nwfilters
org.libvirt.api.connect.search-secrets
org.libvirt.api.connect.search-storage-pools
org.libvirt.api.domain.getattr
org.libvirt.api.domain.read
org.libvirt.api.interface.getattr
org.libvirt.api.interface.read
org.libvirt.api.network.getattr
org.libvirt.api.network.read
org.libvirt.api.node-device.getattr
org.libvirt.api.nwfilter-binding.getattr
org.libvirt.api.nwfilter-binding.read
org.libvirt.api.nwfilter.getattr
org.libvirt.api.nwfilter.read
org.libvirt.api.secret.getattr
org.libvirt.api.secret.read
org.libvirt.api.storage-pool.getattr
org.libvirt.api.storage-pool.read
org.libvirt.api.storage-vol.getattr
org.libvirt.api.storage-vol.read
org.libvirt.unix.monitor
Not authorized:
com.mesonbuild.install.run
net.connman.modify
net.connman.secret
org.a11y.brlapi.write-display
org.freedesktop.NetworkManager.enable-disable-connectivity-check
org.freedesktop.NetworkManager.enable-disable-network
org.freedesktop.NetworkManager.enable-disable-statistics
org.freedesktop.NetworkManager.enable-disable-wifi
org.freedesktop.NetworkManager.enable-disable-wimax
org.freedesktop.NetworkManager.enable-disable-wwan
org.freedesktop.NetworkManager.sleep-wake
org.freedesktop.NetworkManager.wifi.share.open
org.freedesktop.NetworkManager.wifi.share.protected
org.freedesktop.consolekit.system.hibernate
org.freedesktop.consolekit.system.hibernate-multiple-users
org.freedesktop.consolekit.system.hybridsleep
org.freedesktop.consolekit.system.hybridsleep-multiple-users
org.freedesktop.consolekit.system.restart
org.freedesktop.consolekit.system.restart-multiple-users
org.freedesktop.consolekit.system.stop
org.freedesktop.consolekit.system.stop-multiple-users
org.freedesktop.consolekit.system.suspend
org.freedesktop.consolekit.system.suspend-multiple-users
org.freedesktop.policykit.example.pkexec.run-frobnicate
org.gnome.gconf.defaults.set-mandatory
org.gnome.gconf.defaults.set-system
org.libvirt.api.connect.detect-storage-pools
org.libvirt.api.connect.interface-transaction
org.libvirt.api.connect.pm-control
org.libvirt.api.connect.write
org.libvirt.api.domain.block-read
org.libvirt.api.domain.block-write
org.libvirt.api.domain.core-dump
org.libvirt.api.domain.delete
org.libvirt.api.domain.fs-freeze
org.libvirt.api.domain.fs-trim
org.libvirt.api.domain.hibernate
org.libvirt.api.domain.init-control
org.libvirt.api.domain.inject-nmi
org.libvirt.api.domain.mem-read
org.libvirt.api.domain.migrate
org.libvirt.api.domain.open-device
org.libvirt.api.domain.open-graphics
org.libvirt.api.domain.open-namespace
org.libvirt.api.domain.pm-control
org.libvirt.api.domain.read-secure
org.libvirt.api.domain.reset
org.libvirt.api.domain.save
org.libvirt.api.domain.screenshot
org.libvirt.api.domain.send-input
org.libvirt.api.domain.send-signal
org.libvirt.api.domain.set-password
org.libvirt.api.domain.set-time
org.libvirt.api.domain.snapshot
org.libvirt.api.domain.start
org.libvirt.api.domain.stop
org.libvirt.api.domain.suspend
org.libvirt.api.domain.write
org.libvirt.api.interface.delete
org.libvirt.api.interface.save
org.libvirt.api.interface.start
org.libvirt.api.interface.stop
org.libvirt.api.interface.write
org.libvirt.api.network.delete
org.libvirt.api.network.save
org.libvirt.api.network.start
org.libvirt.api.network.stop
org.libvirt.api.network.write
org.libvirt.api.node-device.detach
org.libvirt.api.node-device.read
org.libvirt.api.node-device.start
org.libvirt.api.node-device.stop
org.libvirt.api.node-device.write
org.libvirt.api.nwfilter-binding.create
org.libvirt.api.nwfilter-binding.delete
org.libvirt.api.nwfilter.delete
org.libvirt.api.nwfilter.save
org.libvirt.api.nwfilter.write
org.libvirt.api.secret.delete
org.libvirt.api.secret.read-secure
org.libvirt.api.secret.save
org.libvirt.api.secret.write
org.libvirt.api.storage-pool.delete
org.libvirt.api.storage-pool.format
org.libvirt.api.storage-pool.refresh
org.libvirt.api.storage-pool.save
org.libvirt.api.storage-pool.search-storage-vols
org.libvirt.api.storage-pool.start
org.libvirt.api.storage-pool.stop
org.libvirt.api.storage-pool.write
org.libvirt.api.storage-vol.create
org.libvirt.api.storage-vol.data-read
org.libvirt.api.storage-vol.data-write
org.libvirt.api.storage-vol.delete
org.libvirt.api.storage-vol.format
org.libvirt.api.storage-vol.resize
org.spice-space.lowlevelusbaccess
org.x.xf86-video-intel.backlight-helper
org.xfce.thunar
Authentication required:
com.ubuntu.pkexec.gufw
org.dpkg.pkexec.update-alternatives (polkit.retains_authorization_after_challenge=1)
org.freedesktop.Flatpak.app-install
org.freedesktop.Flatpak.app-uninstall
org.freedesktop.Flatpak.app-update
org.freedesktop.Flatpak.appstream-update
org.freedesktop.Flatpak.configure
org.freedesktop.Flatpak.configure-remote
org.freedesktop.Flatpak.install-bundle
org.freedesktop.Flatpak.metadata-update
org.freedesktop.Flatpak.modify-repo
org.freedesktop.Flatpak.runtime-install
org.freedesktop.Flatpak.runtime-uninstall
org.freedesktop.Flatpak.runtime-update
org.freedesktop.Flatpak.update-remote
org.freedesktop.NetworkManager.checkpoint-rollback (polkit.retains_authorization_after_challenge=1)
org.freedesktop.NetworkManager.network-control
org.freedesktop.NetworkManager.reload (polkit.retains_authorization_after_challenge=1)
org.freedesktop.NetworkManager.settings.modify.global-dns (polkit.retains_authorization_after_challenge=1)
org.freedesktop.NetworkManager.settings.modify.hostname (polkit.retains_authorization_after_challenge=1)
org.freedesktop.NetworkManager.settings.modify.own (polkit.retains_authorization_after_challenge=1)
org.freedesktop.NetworkManager.settings.modify.system (polkit.retains_authorization_after_challenge=1)
org.freedesktop.NetworkManager.wifi.scan
org.freedesktop.policykit.exec
org.freedesktop.udisks2.ata-check-power
org.freedesktop.udisks2.ata-secure-erase
org.freedesktop.udisks2.ata-smart-enable-disable
org.freedesktop.udisks2.ata-smart-selftest
org.freedesktop.udisks2.ata-smart-simulate
org.freedesktop.udisks2.ata-smart-update
org.freedesktop.udisks2.ata-standby
org.freedesktop.udisks2.ata-standby-other-seat
org.freedesktop.udisks2.ata-standby-system
org.freedesktop.udisks2.btrfs.manage-btrfs
org.freedesktop.udisks2.cancel-job
org.freedesktop.udisks2.cancel-job-other-user
org.freedesktop.udisks2.eject-media
org.freedesktop.udisks2.eject-media-other-seat
org.freedesktop.udisks2.eject-media-system
org.freedesktop.udisks2.encrypted-change-passphrase
org.freedesktop.udisks2.encrypted-change-passphrase-system
org.freedesktop.udisks2.encrypted-lock-others
org.freedesktop.udisks2.encrypted-unlock
org.freedesktop.udisks2.encrypted-unlock-crypttab
org.freedesktop.udisks2.encrypted-unlock-other-seat
org.freedesktop.udisks2.encrypted-unlock-system
org.freedesktop.udisks2.filesystem-fstab
org.freedesktop.udisks2.filesystem-mount
org.freedesktop.udisks2.filesystem-mount-other-seat
org.freedesktop.udisks2.filesystem-mount-system
org.freedesktop.udisks2.filesystem-take-ownership
org.freedesktop.udisks2.filesystem-unmount-others
org.freedesktop.udisks2.loop-delete-others
org.freedesktop.udisks2.loop-modify-others
org.freedesktop.udisks2.loop-setup
org.freedesktop.udisks2.lvm2.manage-lvm
org.freedesktop.udisks2.manage-md-raid
org.freedesktop.udisks2.manage-swapspace
org.freedesktop.udisks2.modify-device
org.freedesktop.udisks2.modify-device-other-seat
org.freedesktop.udisks2.modify-device-system
org.freedesktop.udisks2.modify-drive-settings
org.freedesktop.udisks2.modify-system-configuration
org.freedesktop.udisks2.open-device
org.freedesktop.udisks2.open-device-system
org.freedesktop.udisks2.power-off-drive
org.freedesktop.udisks2.power-off-drive-other-seat
org.freedesktop.udisks2.power-off-drive-system
org.freedesktop.udisks2.read-system-configuration-secrets
org.freedesktop.udisks2.rescan
org.freedesktop.udisks2.zram.manage-zram
org.gnome.sysprof2.get-kernel-symbols (polkit.retains_authorization_after_challenge=1)
org.gnome.sysprof2.perf-event-open (polkit.retains_authorization_after_challenge=1)
org.gsmartcontrol
org.libvirt.unix.manage (polkit.retains_authorization_after_challenge=1)
org.void.pkexec.gparted
Perhaps this tool could assist in addressing issue #80 as well.
Source for the script (proposed license: MIT): pk-list-auths