polkit and package kit and changing settings

November 18, 2009

In f12 the default policy for polkit for package kit is to allow users at the
desktop to install signed pkgs from repositories enabled on the system.

Some folks are unhappy about this so I investigated a bit. Ray Strode looked
through the polkit code to figure out the answers.

The short answer is to run (as root)

pklalockdown –lockdown org.freedesktop.packagekit.package-install

to remove this lockdown run (as root):

pklalockdown –remove-lockdown org.freedesktop.packagekit.package-install

 

Update: According davidz in the comments below the above command is going away. So if you want to keep users from installing pkgs you need to follow the longer instructions below.

the long answer explains a bit about polkit.

To get a list of all actions that policykit knows about you run:

pkaction

to get information about the system defaults for any action you run:

pkaction –action-id actionname –verbose

this only tells you what the system defaults are. It doesn’t tell you what
the current runtime policy is going to do.

examples:
pkaction –action-id org.freedesktop.packagekit.package-install –verbose

org.freedesktop.packagekit.package-install:
description:       Install signed package
message:           Authentication is required to install a signed package
vendor:            The PackageKit Project
vendor_url:        http://www.packagekit.org/
icon:              package-x-generic
implicit any:      no
implicit inactive: no
implicit active:   yes

Now, if I want to change the value of this to something more specific you need
to edit a file:
/var/lib/polkit-1/localauthority/50-local.d/10-my-pkgkit-policy.pkla

in this file you would put:

[Only Let Admins Install Packages]
Identity=unix-user:*
Action=org.freedesktop.packagekit.package-install
ResultAny=auth_admin
ResultInactive=auth_admin
ResultActive=auth_admin

save it and that’s it.

The line Identity let’s you specify users or groups that the policy impacts.
The items are ; separated and each one must start with unix-user or unix-group
and have a user, group or wildcard following it.

Now, if you want to test to make sure this works you can, of course, run the
program in question. OR you can use pkcheck.

you use pkcheck like this:
pkcheck –action-id org.freedesktop.packagekit.package-install \
–process $process_id_of_the_process_making_the_request \
-u $the_username_you_are_testing

the process id I used was of a shell of the user or was the gnome-session process.

it should pop up an auth dialog if you did everything correctly.

For more complete docs look at:
man pklocalauthority

and

man polkit

hope this helps.