2011-05-27

Changing PolicyKit settings per user

I have been hit twice by a required authentication on my workstation after the Wifi connection got lost and it is clearly irritating, especially when you are not around. The authentication requests are handled by PolicyKit (polkit for short) and can be tweaked.

The message by which I was hit was the following: "System policy prevents modification of network settings for all users."

Before you get started, the system wide configuration files that contain the default values reside inside the /usr/share/polkit-1/actions/ directory. In this directory resides the file org.freedesktop.NetworkManager.policy which contains all the default actions. It does also contain the message about the network settings for which the action id is "org.freedesktop.NetworkManager.settings.modify.system." At this point I was still clueless of what I was supposed to do.

After having search the web for information about PolicyKit I have found one interesting article that helped me getting done with my issue and learning more about this authorization framework. This action being very seldom to perform, I'm summing up everything here.

There are two useful commands to perform tests with PolicyKit, pkcheck and pkaction.

The first interesting command to use is pkcheck. It will trigger an authorization request and prompt you to type in a password, simply return true if no authorization is required otherwise false. For example:
pkcheck --action-id org.freedesktop.NetworkManager.settings.modify.system \
    --process `pidof gnome-session` -u `id -u`
You have to adapt the process and user parameters of course.



Next the command pkaction can be used to print the default system values, for example:
pkaction --action-id org.freedesktop.NetworkManager.settings.modify.system \
    --verbose
Now to have a custom setting for your user, what has to be done is to create a PolicyKit Local Authority file inside the directory /var/lib/polkit-1/localauthority/. Here is an example:
[Let user mike modify system settings for network]
Identity=unix-user:mike
Action=org.freedesktop.NetworkManager.settings.modify.system
ResultAny=no
ResultInactive=no
ResultActive=yes
I have saved this file under /var/lib/polkit-1/localauthority/50-local.d/10-network-manager.pkla.

There are three main values you can pass to ResultActive that are no, auth_admin or yes. Respectively it will deny the authorization, ask for a password, and give access. For further information about the possible values check the polkit manpage, also don't miss the pklocalauthority manpage to read more about the localauthority tree structure.

9 comments:

  1. You, sir, are awesome.

    ReplyDelete
  2. Great article! Thanks for getting me out of a hole.

    One minor suggestion: I think you'd be better off putting the file in /etc/polkit-1/localauthority/50-local.d/ rather than in /var/lib/polkit-1/localauthority/50-local.d. I think the /etc location is intended for local mods; files in the /var/lib/ location are probably subject to change as the package is updated.

    ReplyDelete
  3. Thanks. Exactly what I needed.

    BTW, which theme are you using?

    ReplyDelete
    Replies
    1. The screenshot was taken on GNOME3, default theme.

      It took an end however... Post about that on Tumblr.

      The background comes from Interface Lift.

      Delete
  4. I believe the source of this problem is that network connections by default have the "Available to all users" checkbox ticked...

    Which I believe triggers the requirement to satisfy this permission.

    On a shared laptop which requires staff members to be able to connect to a radius control wpa2-eap access point, I think i would like the default to be a personal network connection and therefore not trigger the requirement to satisfy this permission.

    ReplyDelete
  5. fantastic

    ReplyDelete
  6. What's the difference between the /var/lib/polkit-1/* location and /etc/polkit-1/* location?

    ReplyDelete
    Replies
    1. I wonder if that directory already existed at that time, maybe I just overlooked it. But no, there is no difference, you can put files inside /etc.

      Delete
  7. captain awesome, solved same problem in my lubuntu, thanks mike

    ReplyDelete