On 05/16/2018 12:36 AM, John Crawley wrote:
On 2018-05-15 22:24, Richard Owlett wrote:
On 05/15/2018 12:48 AM, John Crawley (johnraff) wrote:
Policykit brings its own complications, but I think it should be
possible to create a .pkla file in /var/lib/polkit-1/localauthority
to allow a certain user, or group member, to perform an action
defined in /usr/share/polkit-1/actions/* without a password. You
could even add a new action if necessary.
Through a chain of references I discovered
/usr/share/polkit-1/actions/com.ubuntu.pkexec.gparted.policy
The initial lines read:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
"-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
"http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd";>
<policyconfig>
However
[http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd]
gives a 404 File not found message.
Indeed. Even so, that seems to be what is required in the xml.
Where would I find its syntax?
I had a similar problem a while ago and found internet searches to be
somewhat helpful.
My searches were not as good. Thank you.
This is not Debian, but on-topic:
https://wiki.archlinux.org/index.php/Polkit
And:
https://www.freedesktop.org/software/polkit/docs/0.105/pklocalauthority.8.html
http://davidz25.blogspot.jp/2012/06/authorization-rules-in-polkit.html
https://github.com/systemd/systemd/issues/5523
I don't know if they answer ALL my questions.
BUT they each specifically address one or more of my questions.
They also suggest some likely fruitful search terms.
It seems polkit want to shift from .pkla files to (javascript-like)
.rules files, but at the moment both might work on Debian, so use
whichever you feel less uncomfortable with.
I used a .pkla file in /var/lib/polkit-1/localauthority/10-vendor.d/. If
you search for *.pkla files on your system, there might be some there,
or in /etc/polkit-1/localauthority/* to use as a template.
By a convoluted path I found:
[https://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html]
Its last example strongly suggests I can do just what I want without
messing up other users &/or apps.
That's what I think too. Just as an untested guess, since the action is
already defined, something like this in
/etc/polkit-1/localauthority/50-local.d/gparted.pkla?
[Allow specific user to use gparted]
Identity=unix-user:yourusername
Action=com.ubuntu.pkexec.gparted
ResultAny=no
ResultInactive=no
ResultActive=yes
BTW To see the currently defined actions on your system, try this:
cat /usr/share/polkit-1/actions/* | grep -E
'(<action|<description>|<message>|<allow|</action>)'|sed
's/<\/action>/\n/g;s/<\/[^>]*>//g'
But you can add one of your own too.
