Last active

Embed URL

HTTPS clone URL

SSH clone URL

You can clone with HTTPS or SSH.

Download Gist
View _Example polkit rules_.md

These are only examples, for a few very common actions. You are expected to write your own rules for the rest. See the polkit(8) manpage for rule syntax. (It's JavaScript.)

If you don't know the action name, run pkaction:

pkaction | grep cups

The possible results are YES, AUTH_SELF(_KEEP), AUTH_ADMIN(_KEEP), NO. Returning a result is final. Returning null will continue checking other rules.

Put your rules in /etc/polkit-1/rules.d/*.rules. (You can check everything in one giant addRule, or you can have a separate file and separate addRule for each program; it doesn't matter.)

To test your rules, use pkcheck:

pkcheck -u -p $$ -a org.freedesktop.packagekit.upgrade-system
View _Example polkit rules_.md
1 2 3 4 5 6 7 8 9
/* Copy this to /etc/polkit-1/rules.d/80-networkmanager-wheel-without-authentication.rules */
 
polkit.addRule(function(action, subject) {
if (/^org\.freedesktop\.NetworkManager\./.test(action.id) &&
subject.local && subject.active && subject.isInGroup("wheel"))
{
return polkit.Result.YES;
}
});
View _Example polkit rules_.md
1 2 3 4 5 6 7 8 9 10 11
/* Copy this to /etc/polkit-1/rules.d/packagekit-restrict.rules */
 
polkit.addRule(function(action, subject) {
if (/^org\.freedesktop\.packagekit\./.test(action.id)) {
if (subject.user === "fred" || subject.isInGroup("wheel")) {
return polkit.Result.YES;
} else {
return polkit.Result.AUTH_ADMIN_KEEP;
}
}
});
View _Example polkit rules_.md
1 2 3 4 5 6 7 8 9 10 11 12
/* Copy this to /etc/polkit-1/rules.d/udisks-no-consolekit.rules */
 
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.udisks.filesystem-mount") {
if (subject.isInGroup("wheel"))
return polkit.Result.YES;
else
return polkit.Result.AUTH_ADMIN_KEEP;
} else if (/^org\.freedesktop\.udisks\./.test(action.id)) {
return polkit.Result.AUTH_ADMIN_KEEP;
}
});
View _Example polkit rules_.md
1 2 3 4 5 6 7 8 9
/* Copy this to /etc/polkit-1/rules.d/always-allow-wheel.rules */
 
polkit.addRule(function(action, subject) {
if (/^org\.freedesktop\.udisks\./.test(action.id)
&& subject.isInGroup("wheel"))
{
return polkit.Result.YES;
}
});
View _Example polkit rules_.md
1 2 3 4 5 6 7 8 9 10
/* Copy this to /etc/polkit-1/rules.d/allow-mount-internal.rules */
 
polkit.addRule(function(action, subject) {
if ((action.id == "org.freedesktop.udisks2.filesystem-mount-system" ||
action.id == "org.freedesktop.udisks.filesystem-mount-system-internal") &&
subject.local && subject.active && subject.isInGroup("users"))
{
return polkit.Result.YES;
}
});

This is probably the most annoying thing in OpenSUSE - asking for a password for network, hdd mount, etc. Every now and then I have to search for these rules. Thanks for posting them as a gist!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.