On 05/16/2018 12:36 AM, John Crawley wrote:
On 2018-05-15 22:24, Richard Owlett wrote:
On 05/15/2018 12:48 AM, John Crawley (johnraff) wrote:


Policykit brings its own complications, but I think it should be possible to create a .pkla file in /var/lib/polkit-1/localauthority to allow a certain user, or group member, to perform an action defined in /usr/share/polkit-1/actions/* without a password. You could even add a new action if necessary.

Through a chain of references I discovered
   /usr/share/polkit-1/actions/com.ubuntu.pkexec.gparted.policy

The initial lines read:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
 "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd";>
<policyconfig>

However
   [http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd]
gives a 404 File not found message.

Indeed. Even so, that seems to be what is required in the xml.

Where would I find its syntax?

I had a similar problem a while ago and found internet searches to be somewhat helpful.

My searches were not as good. Thank you.

This is not Debian, but on-topic:
https://wiki.archlinux.org/index.php/Polkit
And:
https://www.freedesktop.org/software/polkit/docs/0.105/pklocalauthority.8.html
http://davidz25.blogspot.jp/2012/06/authorization-rules-in-polkit.html
https://github.com/systemd/systemd/issues/5523

I don't know if they answer ALL my questions.
BUT they each specifically address one or more of my questions.
They also suggest some likely fruitful search terms.


It seems polkit want to shift from .pkla files to (javascript-like) .rules files, but at the moment both might work on Debian, so use whichever you feel less uncomfortable with.

I used a .pkla file in /var/lib/polkit-1/localauthority/10-vendor.d/. If you search for *.pkla files on your system, there might be some there, or in /etc/polkit-1/localauthority/* to use as a template.

By a convoluted path I found:
[https://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html]

Its last example strongly suggests I can do just what I want without messing up other users &/or apps.

That's what I think too. Just as an untested guess, since the action is already defined, something like this in /etc/polkit-1/localauthority/50-local.d/gparted.pkla?

[Allow specific user to use gparted]
Identity=unix-user:yourusername
Action=com.ubuntu.pkexec.gparted
ResultAny=no
ResultInactive=no
ResultActive=yes

BTW To see the currently defined actions on your system, try this:
cat /usr/share/polkit-1/actions/* | grep -E '(<action|<description>|<message>|<allow|</action>)'|sed 's/<\/action>/\n/g;s/<\/[^>]*>//g'
But you can add one of your own too.




Reply via email to