Changing PolicyKit settings per user

I have been hit twice by a required authentication on my workstation after the Wifi connection got lost and it is clearly irritating, especially when you are not around. The authentication requests are handled by PolicyKit (polkit for short) and can be tweaked.

The message by which I was hit was the following: "System policy prevents modification of network settings for all users."

Before you get started, the system wide configuration files that contain the default values reside inside the /usr/share/polkit-1/actions/ directory. In this directory resides the file org.freedesktop.NetworkManager.policy which contains all the default actions. It does also contain the message about the network settings for which the action id is "org.freedesktop.NetworkManager.settings.modify.system." At this point I was still clueless of what I was supposed to do.

After having search the web for information about PolicyKit I have found one interesting article that helped me getting done with my issue and learning more about this authorization framework. This action being very seldom to perform, I'm summing up everything here.

There are two useful commands to perform tests with PolicyKit, pkcheck and pkaction.

The first interesting command to use is pkcheck. It will trigger an authorization request and prompt you to type in a password, simply return true if no authorization is required otherwise false. For example:
pkcheck --action-id org.freedesktop.NetworkManager.settings.modify.system \
    --process `pidof gnome-session` -u `id -u`
You have to adapt the process and user parameters of course.

Next the command pkaction can be used to print the default system values, for example:
pkaction --action-id org.freedesktop.NetworkManager.settings.modify.system \
Now to have a custom setting for your user, what has to be done is to create a PolicyKit Local Authority file inside the directory /var/lib/polkit-1/localauthority/. Here is an example:
[Let user mike modify system settings for network]
I have saved this file under /var/lib/polkit-1/localauthority/50-local.d/10-network-manager.pkla.

There are three main values you can pass to ResultActive that are no, auth_admin or yes. Respectively it will deny the authorization, ask for a password, and give access. For further information about the possible values check the polkit manpage, also don't miss the pklocalauthority manpage to read more about the localauthority tree structure.


  1. You, sir, are awesome.

  2. Great article! Thanks for getting me out of a hole.

    One minor suggestion: I think you'd be better off putting the file in /etc/polkit-1/localauthority/50-local.d/ rather than in /var/lib/polkit-1/localauthority/50-local.d. I think the /etc location is intended for local mods; files in the /var/lib/ location are probably subject to change as the package is updated.

  3. Thanks. Exactly what I needed.

    BTW, which theme are you using?

    1. The screenshot was taken on GNOME3, default theme.

      It took an end however... Post about that on Tumblr.

      The background comes from Interface Lift.

  4. fantastic

  5. What's the difference between the /var/lib/polkit-1/* location and /etc/polkit-1/* location?

    1. I wonder if that directory already existed at that time, maybe I just overlooked it. But no, there is no difference, you can put files inside /etc.

  6. captain awesome, solved same problem in my lubuntu, thanks mike

  7. PHP and Python website development training are the two promising for both working and new developers.
    web development course in bangalore
    web development training

  8. Wynn Casino, Las Vegas - JS Hub
    Search Results For "Wynn 광양 출장샵 Casino, Las Vegas" in 서귀포 출장마사지 our database of over 서귀포 출장안마 2,500 slot 목포 출장안마 machines, 포항 출장샵 video poker machines and video poker machines.