On 2018-05-15 22:24, Richard Owlett wrote:
On 05/15/2018 12:48 AM, John Crawley (johnraff) wrote:
Policykit brings its own complications, but I think it should be
possible to create a .pkla file in /var/lib/polkit-1/localauthority to
allow a certain user, or group member, to perform an action defined in
/usr/share/polkit-1/actions/* without a password. You could even add a
new action if necessary.
Through a chain of references I discovered
/usr/share/polkit-1/actions/com.ubuntu.pkexec.gparted.policy
The initial lines read:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
"-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
"http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
<policyconfig>
However
[http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd]
gives a 404 File not found message.
Indeed. Even so, that seems to be what is required in the xml.
Where would I find its syntax?
I had a similar problem a while ago and found internet searches to be
somewhat helpful.
This is not Debian, but on-topic:
https://wiki.archlinux.org/index.php/Polkit
And:
https://www.freedesktop.org/software/polkit/docs/0.105/pklocalauthority.8.html
http://davidz25.blogspot.jp/2012/06/authorization-rules-in-polkit.html
https://github.com/systemd/systemd/issues/5523
It seems polkit want to shift from .pkla files to (javascript-like)
.rules files, but at the moment both might work on Debian, so use
whichever you feel less uncomfortable with.
I used a .pkla file in /var/lib/polkit-1/localauthority/10-vendor.d/. If
you search for *.pkla files on your system, there might be some there,
or in /etc/polkit-1/localauthority/* to use as a template.
By a convoluted path I found:
[https://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html]
Its last example strongly suggests I can do just what I want without
messing up other users &/or apps.
That's what I think too. Just as an untested guess, since the action is
already defined, something like this in
/etc/polkit-1/localauthority/50-local.d/gparted.pkla?
[Allow specific user to use gparted]
Identity=unix-user:yourusername
Action=com.ubuntu.pkexec.gparted
ResultAny=no
ResultInactive=no
ResultActive=yes
BTW To see the currently defined actions on your system, try this:
cat /usr/share/polkit-1/actions/* | grep -E
'(<action|<description>|<message>|<allow|</action>)'|sed
's/<\/action>/\n/g;s/<\/[^>]*>//g'
But you can add one of your own too.
--
John