polkit and package kit and changing settings

November 18, 2009

In f12 the default policy for polkit for package kit is to allow users at the
desktop to install signed pkgs from repositories enabled on the system.

Some folks are unhappy about this so I investigated a bit. Ray Strode looked
through the polkit code to figure out the answers.

The short answer is to run (as root)

pklalockdown –lockdown org.freedesktop.packagekit.package-install

to remove this lockdown run (as root):

pklalockdown –remove-lockdown org.freedesktop.packagekit.package-install

Update: According davidz in the comments below the above command is going away. So if you want to keep users from installing pkgs you need to follow the longer instructions below.

the long answer explains a bit about polkit.

To get a list of all actions that policykit knows about you run:

pkaction

to get information about the system defaults for any action you run:

pkaction –action-id actionname –verbose

this only tells you what the system defaults are. It doesn’t tell you what
the current runtime policy is going to do.

examples:
pkaction –action-id org.freedesktop.packagekit.package-install –verbose

org.freedesktop.packagekit.package-install:
description:       Install signed package
message:           Authentication is required to install a signed package
vendor:            The PackageKit Project
vendor_url:        http://www.packagekit.org/
icon:              package-x-generic
implicit any:      no
implicit inactive: no
implicit active:   yes

Now, if I want to change the value of this to something more specific you need
to edit a file:
/var/lib/polkit-1/localauthority/50-local.d/10-my-pkgkit-policy.pkla

in this file you would put:

[Only Let Admins Install Packages]
Identity=unix-user:*
Action=org.freedesktop.packagekit.package-install
ResultAny=auth_admin
ResultInactive=auth_admin
ResultActive=auth_admin

save it and that’s it.

The line Identity let’s you specify users or groups that the policy impacts.
The items are ; separated and each one must start with unix-user or unix-group
and have a user, group or wildcard following it.

Now, if you want to test to make sure this works you can, of course, run the
program in question. OR you can use pkcheck.

you use pkcheck like this:
pkcheck –action-id org.freedesktop.packagekit.package-install \
–process $process_id_of_the_process_making_the_request \
-u $the_username_you_are_testing

the process id I used was of a shell of the user or was the gnome-session process.

it should pop up an auth dialog if you did everything correctly.

For more complete docs look at:
man pklocalauthority

and

man polkit

hope this helps.

Posted by skvidal
Filed in fedora, work

16 Comments »

16 Responses to “polkit and package kit and changing settings”

davidz Says:

November 18, 2009 at 10:08 pm
Hi. Please avoid referring to a command that won’t be available in the next polkit update, see

https://bugzilla.redhat.com/show_bug.cgi?id=534047#c27

for details. Thanks.

Reply
skvidal Says:

November 18, 2009 at 10:10 pm
okay, I’ll edit it out – I had no idea the command was going away.

Reply
- skvidal Says:
  
  November 18, 2009 at 10:13 pm
  updated.
  
  Reply
Jeremy Sanders Says:

November 19, 2009 at 9:54 am
Never mind the any console user installing packages, what about the 100s of other cans of worms in PolicyKit. Are these properly documented somewhere?

What does
org.freedesktop.devicekit.disks.filesystem-mount
do? Does this mean a console user can mount any file system, even non-removable media?

Does org.fedoraproject.abrt.install-debuginfos mean that any console user can fill up the root partition with debuginfo rpms?

Does org.freedesktop.RealtimeKit1.acquire-high-priority mean that any console user can stop the rest of the system working by opening up lots of realtime processes?

Who knows what org.freedesktop.devicekit.disks.change, “Modify a device” does. Sounds nasty.

Can the user detach a system disk? org.freedesktop.devicekit.disks.drive-detach

or start a fsck?
org.freedesktop.devicekit.disks.filesystem-check

Reply
Controvertida política predeterminada en Fedora 12 permite a usuarios sin privilegios instalar paquetería firmada | El Blog de Rigo Says:

November 19, 2009 at 11:06 am
[…] eliminar esta política, alguien se tomo la molestia de documentarla debido a que fue omitida de las notas de lanzamiento de Fedora 12. Para eliminar la […]

Reply
bill Says:

November 19, 2009 at 1:56 pm
I find the better solution is to uninstall Fedora.

Reply
Paul Frields (stickster) 's status on Thursday, 19-Nov-09 15:03:17 UTC - Identi.ca Says:

November 19, 2009 at 3:03 pm
[…] polkit and package kit and changing settings « journal/notes a few seconds ago from web […]

Reply
Fedora 12 permette all’utente di installare pacchetti « Idl3's Blog Says:

November 19, 2009 at 4:57 pm
[…] Per ulteriori informazioni consiglio di seguire la discussione sul sito ufficiale e anche un post di skvidal. […]

Reply
Top Posts « WordPress.com Says:

November 20, 2009 at 12:39 am
[…] polkit and package kit and changing settings In f12 the default policy for polkit for package kit is to allow users at the desktop to install signed pkgs from […] […]

Reply
Haran S. Says:

November 20, 2009 at 3:40 am
I know in Fedora 11/PolicyKit 0.9 there’s a GUI interface for changing policies. In GNOME it’s located in:

Main Menu » System » Preferences » Authorizations

Find the “freedesktop” branch, under which is a “packagekit” branch containing (among others) an “Install signed package” item. From there you can change the “ResultAny”, “ResultInacative” and “ResultActive” settings outlined above in the post. FYI, on my system, “ResultAny” and “ResultInactive” are set to “No” instead of “Admin Auth.”.

Not sure if this GUI is still around in Fedora 12/PolicyKit 1.0. Can someone else verify this?

Reply
Fedora 12 “Constantine” | GNU/Linux Villarrica Says:

November 20, 2009 at 2:31 pm
[…] información respecto a esto, puedes encontrarla aquí. […]

Reply
Valent Turkovic Says:

November 6, 2010 at 2:25 pm
# pklalockdown –remove-lockdown org.freedesktop.packagekit.package-install
Command not found.

How to remove lockdown on Fedora 14?

I would like to enable users to install packages and updates without typing in root password.

Reply
- Kevin Brubeck Unhammer Says:
  
  March 18, 2011 at 7:20 pm
  I don’t think there’s a GUI for PolKit user administration yet. The simplest way to make some group of users, e.g. “wheel”, have the same PolKit access as the root user, is to create a file
  
  /etc/polkit-1/localauthority.conf.d/60-localauthority.conf
  
  containing:
  
  [Configuration]
  AdminIdentities=unix-user:0;unix-group:wheel
  
  However, to only allow PackageKit actions to wheel, leaving other PolKit actions intact, you’d have to make a rule like
  
  [Let Wheel Use PackageKit]
  Identity=unix-group:wheel
  Action=org.freedesktop.packagekit.*
  ResultAny=no
  ResultInactive=no
  ResultActive=yes
  
  in e.g. /etc/polkit-1/localauthority/50-local.d/10-my-pkgkit-policy.pkla
  
  I haven’t tested this; see man pklocalauthority (the man page should work even though the command does not exist)
  
  Reply
  - Kevin Brubeck Unhammer Says:
    
    March 18, 2011 at 7:32 pm
    ok, now I have tested it 🙂 it works, but change ResultActive to auth_self_keep instead of yes if you want users to at least enter their own password…
    
    Reply
m8t's blog: Changing PolicyKit settings per user Says:

May 28, 2011 at 1:08 pm
[…] I was supposed to do. After having search the web for information about PolicyKit I have found one interesting article that helped me getting done with my issue and learning more about this authorization framework. […]

Reply
Fedora 12 permette all’utente di installare pacchetti | gNuis Says:

December 12, 2013 at 9:02 am
[…] Per ulteriori informazioni consiglio di seguire la discussione sul sito ufficiale e anche un post di skvidal. […]

Reply