To modify implicit privileges or to set explicit ones, you can either use the graphicaltool available with GNOME, use the command line tools shipped with PolicyKit, or modify the configuration files. While the GUI and the command line tools are a good solution for making temporary changes, editing the configuration files should be the preferred way to make permanent changes.
Start the Authorizations tool either via the GNOME main menu by selecting Alt+F2 and entering polkit-gnome-authorization.or by pressing
The KDE version of the Authorisation tool can be started via Alt+F2 and entering polkit-kde-authorization.
Figure 9-1 The Authorizations Tool
The Authorizations window is divided into two parts. The left side shows all policies available in a tree view, while the right side displays details for the policy selected and offers means to change it.
Lists details of the chosen policy. Theis the unique string used by PolicyKit to identify the policy. explains the purpose of the policy and displays a link to the organization that has issued this policy.
Change the privileges by clicking Section 9.2.1, Implicit Privileges. Click to restore the system defaults.and choosing an authorization type explained in
In this section you canprivileges to existing users or users. In both cases, choose a user and a . Users with a UID of less than 1000 are only shown when is checked. To delete an authorization, choose it from the list and click .
NOTE: Restrictions of the Revert to Defaults function on openSUSE
When using Section 9.3.4, Restoring the Default Privileges for further information., the Authorization tool always operates on the upstream defaults, so it is not possible to list or restore the defaults shipped with openSUSE. Refer to
PolicyKit comes with two command line tools for changing implicit privileges and for assigning explicit privileges. Each existing policy has got a speaking, unique name with which it can be identified and which is used with the command line tools. List all available policies with the command polkit-action.
List and modify implicit privileges. Using this command you can also reset all policies to the default value. When invoked with no parameters, The command polkit-action shows a list of all policies. See man 1 polkit-action for more information.
Inspect, grant, block and revoke explicit privileges. To print a list of explicit privileges for a specific user, use the command polkit-auth --explicit-detail --user USER where USER has to be replaced by a valid username. If the --user option is left out, privileges for the user executing the command are shown. See man 1 polkit-auth for more information.
NOTE: Restrictions of polkit-action on openSUSE
Using the option --show-overrides, polkit-action lists all policies that differ from the default values. With --reset-defaults action one can reset the privileges for a given action to the defaults. However, polkit-action always operates on the upstream defaults, so it is not possible to list or restore the defaults shipped with openSUSE. Refer to Section 9.3.4, Restoring the Default Privileges for further information.
Adjusting privileges by modifying configuration files is useful when you want to deploy the same set of policies to different machines, for example to the computers of a specific team. It is possible to change implicit as well as explicit privileges by modifying configuration files.
openSUSE ships with two sets of default authorizations located in /etc/polkit-default-privs.standard and /etc/polkit-default-privs.restrictive. The .standard file defines privileges suitable for most desktop systems. It is active by default. The .restrictive set of privileges is designed for machines administrated centrally.Activate it by setting POLKIT_DEFAULT_PRIVS to restrictive in /etc/sysconfig/security and run set_polkit_default_privs as root afterwards. Do not modify these two files.
In order to define your custom set of privileges, use /etc/polkit-default-privs.local. Privileges defined here will always take precedence over the ones defined in the other configuration files. To define a privilege, add a line for each policy with the following format:
<privilege name> <any session>:<inactive session>:<active session>
For a list of all privilege names available, run the command polkit-action. The following values are valid for the session parameters:
user needs to authenticate with own password every time the privilege is requested
user needs to authenticate with own password once per session, privilege is granted for the whole session
user needs to authenticate with own password once, privilege is granted for the current and for future sessions
user needs to authenticate with root password every time the privilege is requested
user needs to authenticate with root password once per session, privilege is granted for the whole session
user needs to authenticate with root password once, privilege is granted for the current and for future sessions
Run set_polkit_default_privs to activate your settings.
Explicit privileges can be set in /etc/PolicyKit/PolicyKit.conf. This configuration file is written in XML using the PolicyKit DTD. The file that is shipped with openSUSE already contains the necessary headers and the root element <config>. Place your edits inside the <config> tags.
Specify an action or a user. match knows two attributes, user and action, but only a single attribute is allowed. Use nested match statements to combine attributes. POSIX Extended Regular Expressions are allowed as attribute values.
Specify one or more login names. Separate multiple names by the
Specify a policy by it's unique identifier. To get a list of all available policy identifiers use the command polkit-action.
Specify the answer PolicyKit will return. Takes a single attribute, result=value with one of the values listed under Modifying Configuration Files for Implicit Privileges.
Specify users or groups allowed to authorize with their own password
where normally the root password would be required. Takes the
or group=GROUP, but
only one may be used at a time. Multiple attribute values must be
|, Extended POSIX Regular Expressions
are not supported. Applies to all policies when used at the top
level, or to specific policies when used within
Example 9-1 An example /etc/PolicyKit/PolicyKit.conf file
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE pkconfig PUBLIC "-//freedesktop//DTD PolicyKit Configuration 1.0//EN" "http://hal.freedesktop.org/releases/PolicyKit/1.0/config.dtd"> <config version="0.1"> <match action="org.freedesktop.packagekit.system-update"> <match user="tux"> <return result="yes"/> </match> </match> <match action="org.freedesktop.policykit.*"> <match user="tux|wilber"> <return result="no"/> </match> </match> <define_admin_auth group="administrators"/> </config>
The first three lines of the config file are the XML header. These lines are already present in the template file, leave them untouched.
The XML root element must always be present. The attribute version is mandatory, currently the only valid value is 0.1. Already present in the template file.
A statement granting the user tux the privilege to update packages via PackageKit without having to authorize.
Withdraw privileges for all PolicyKit related policies from the users tux and wilber.
This statement allows all members of the group administrators to authenticate with their own password whenever authentication with the root password would be required. Since this statement is not nested within constraining match statements, it applies to all policies.
Each application supporting PolicyKit comes with a default set of implicit
policies defined by the application's developers, the so-called
upstream defaults. The privileges defined by the upstream
defaults are not necessarily the ones that are activated by default on
openSUSE. openSUSE comes with its own predefined set of
Modifying Configuration Files for Implicit Privileges
for more information) that is activated by default, overriding the
Since the Authorization tool and the PolicyKit command line utilities always operate on the upstream defaults, openSUSE comes with the command-line tool set_polkit_default_privs that resets privileges to the values defined in /etc/polkit-default-privs.*. However, set_polkit_default_privs will only reset policies that are set to the upstream defaults. To reset all policies to the upstream defaults first and then apply the openSUSE defaults, run the following command:
rm -f /var/lib/PolicyKit-public/* && set_polkit_defaut_privs
In order to apply the openSUSE defaults, make sure /etc/polkit-default-privs.local does not contain any overrides, otherwise these will be applied on top of the defaults when running set_polkit_default_privs.