1PKLA-CHECK-AUTHORI(8)      pkla-check-authorization      PKLA-CHECK-AUTHORI(8)
2
3
4

NAME

6       pkla-check-authorization - Evaluate pklocalauthority authorization
7       configuration
8

SYNOPSIS

10       pkla-check-authorization [--help]
11
12       pkla-check-authorization [--paths paths] {user-name} {is-local}
13                                {is-active} {action}
14

DESCRIPTION

16       pkla-check-authorization interprets non-JavaScript configuration files
17       described below to determine the response of polkit(8) to authorization
18       queries.
19
20       Note: Authorization decision evaluation is driven by JavaScript rules
21       as described in polkit(8).  pkla-check-authorization is called by a
22       JavaScript rule file named 49-polkit-pkla-compat.rules; other
23       JavaScript rules with a higher priority may exist, so the
24       pkla-check-authorization configuration may not necessarily govern the
25       final polkit(8) authorization decision.
26
27       The ordering of the JavaScript rule files and the ordering of
28       pkla-check-authorization configuration files is not integrated and uses
29       different rules; the pkla-check-authorization configuration evaluation
30       is happens at a single point within the JavaScript rule evaluation
31       order.
32
33       pkla-check-authorization is an internal helper program of
34       pkla-polkit-compat. You shouldn't need to run it directly, except for
35       debugging purposes.
36
37       The arguments to pkla-check-authorization are, in order:
38
39       user-name
40           Name of the user account asking for authorization
41
42       is-local
43           Whether the attempted action is performed from a local login
44           session, true or false.
45
46       is-active
47           Whether the attempted action is performed from a currently active
48           session (e.g. currently active virtual console), true or false.
49
50       action
51           A string identifying the polkit(8) action.
52
53       If the configuration specifies an authorization decision,
54       pkla-check-authorization outputs the decision and a terminating
55       newline. If no decision is configured, the output is empty.
56

OPTIONS

58       -h, --help
59           Write a summary of the available options to standard output and
60           exit successfully.
61
62       -p, --paths=paths
63           Search for configuration files in semicolon-separated paths instead
64           of the default
65           /var/lib/polkit-1/localauthority;/etc/polkit-1/localauthority.
66

EXIT STATUS

68       pkla-check-authorization exits with 0 on success (even if there is no
69       decision configured), and a non-zero status on error.
70

DIRECTORY STRUCTURE

72       Files with .pkla extension are read from all directories located inside
73       the /etc/polkit-1/localauthority and /var/lib/polkit-1/localauthority
74       directories (or as specified using the --paths option). By default, the
75       following sub-directories are installed.
76
77           /etc/polkit-1/
78           `-- localauthority
79               |-- 10-vendor.d
80               |-- 20-org.d
81               |-- 30-site.d
82               |-- 50-local.d
83               `-- 90-mandatory.d
84
85
86       and
87
88           /var/lib/polkit-1/
89           `-- localauthority
90               |-- 10-vendor.d
91               |-- 20-org.d
92               |-- 30-site.d
93               |-- 50-local.d
94               `-- 90-mandatory.d
95
96
97       The /etc/polkit-1/localauthority hierarchy is intended for local
98       configuration and the /var/lib/polkit-1/localauthority is intended for
99       3rd party packages.
100
101       Each .pkla file contains one or more authorization entries. If the
102       underlying filesystem supports file monitoring, the Local Authority
103       will reload information whenever .pkla files are added, removed or
104       changed.
105
106       Each directory is intended for a specific audience
107
108       10-vendor.d
109           Intended for use by the OS vendor.
110
111       20-org.d
112           Intended for the organization deploying the OS.
113
114       30-site.d
115           Intended for the site deploying the system.
116
117       50-local.d
118           Intended for local usage.
119
120       90-mandatory.d
121           Intended for the organization deploying the OS.
122
123       and new directories can be added/removed as needed.
124
125       As to regards to the content, each .pkla file is a standard key file
126       and contains key/value pairs in one or more groups with each group
127       representing an authorization entry. A .pkla file MUST be named by
128       using a scheme to ensure that the name is unique, e.g. reverse DNS
129       notation or similar. For example, if the organization is “Acme Corp”
130       needs to modify policy for the product “Frobnicator”, a name like
131       com.acme.frobnicator.pkla would be suitable.
132

AUTHORIZATION ENTRY

134       Each group in a .pkla file must have a name that is unique within the
135       file it belongs to. The following keys are recognized:
136
137       Identity
138           A semi-colon separated list of entries to match identities. Each
139           entry should start with unix-user: or unix-group: to specify
140           whether to match on a UNIX user name or a UNIX group name, and
141           continue with a glob matching the group or user name. Netgroups are
142           supported with the unix-netgroup: prefix, but cannot support glob
143           syntax. Finally, an entry "default" (with no prefix) can be used to
144           specify the default match.
145
146       Action
147           A semi-colon separated list of globs to match action identifiers.
148
149       ResultActive
150           The result to return for subjects in an active local session that
151           matches one or more of the given identities. Allowed values are
152           similar to what can be used in the defaults section of .policy
153           files used to define actions, e.g.  yes, no, auth_self,
154           auth_self_keep, auth_admin and auth_admin_keep.
155
156       ResultInactive
157           Like ResultActive but instead applies to subjects in inactive local
158           sessions.
159
160       ResultAny
161           Like ResultActive but instead applies to any subject.
162
163       All keys specified above are required except that only at least one of
164       ResultAny, ResultInactive and ResultActive must be present.
165

EVALUATION ORDER

167       The authorization entries discussed above are consulted using the
168       following algorithm.
169
170       The authorization entries from all .pkla files are ordered using the
171       following rules. First all the basename of all sub-directories (e.g.
172       30-site.d) from both the /etc/polkit-1/localauthority and
173       /var/lib/polkit-1/localauthority directories are enumerated and sorted
174       (using the C locale). If a name exists in both /etc and /var, the one
175       in /etc takes precedence. Then all .pkla files are read in order from
176       this list of sub-directories. For each .pkla file, authorizations from
177       each file are appended in order resulting in an ordered list of
178       authorization entries.
179
180       For example, given the following files
181
182           /var/lib/polkit-1
183           └── localauthority
184               ├── 10-vendor.d
185               │   └── 10-desktop-policy.pkla
186               ├── 20-org.d
187               ├── 30-site.d
188               ├── 50-local.d
189               ├── 55-org.my.company.d
190               │   └── 10-org.my.company.product.pkla
191               └── 90-mandatory.d
192
193           /etc/polkit-1
194           └── localauthority
195               ├── 10-vendor.d
196               │   └── 01-some-changes-from-a-subvendor.pkla
197               ├── 20-org.d
198               ├── 30-site.d
199               ├── 50-local.d
200               ├── 55-org.my.company.d
201               │   └── 10-org.my.company.product.pkla
202               └── 90-mandatory.d
203
204
205       the evaluation order of the .pkla files is:
206
207        1. 10-desktop-policy.pkla
208
209        2. 01-some-changes-from-a-subvendor.pkla
210
211        3. 10-org.my.company.product.pkla (the /var one)
212
213        4. 10-org.my.company.product.pkla (the /etc one)
214
215       When the list of authorization entries has been calculated, the
216       authorization check can be made. First, the user of the Subject is
217       determined and the groups that the user belongs are looked up.
218
219       Then, authorization entries that include the "default" field value in
220       the Identity field are consulted in order. If the authorization entry
221       matches the data from the authorization check, then the authorization
222       result from RequireAny, RequireInactive or RequireActive is used.
223
224       Next, for each group identity, all authorization entries that contain a
225       matching group entry are again consulted in the same manner.
226
227       Finally, the authorization entries are consulted using the user
228       identity in the same manner.
229
230       Note that processing continues even after a match. This allows for so
231       called “negative authorizations”, see the section called “EXAMPLE” for
232       further discussion.
233

EXAMPLE

235       The following .pkla file grants authorization to all users in the staff
236       group for actions matching the glob com.example.awesomeproduct.*
237       provided they are in an active session on the local console:
238
239           [Normal Staff Permissions]
240           Identity=unix-group:staff
241           Action=com.example.awesomeproduct.*
242           ResultAny=no
243           ResultInactive=no
244           ResultActive=yes
245
246
247       If the users homer and grimes are member of the staff group but policy
248       requires that an administrator needs to authenticate every time
249       authorization for any action matching com.example.awesomeproduct.*  is
250       required, one would add
251
252           [Exclude Some Problematic Users]
253           Identity=unix-user:homer;unix-user:grimes
254           Action=com.example.awesomeproduct.*
255           ResultAny=no
256           ResultInactive=no
257           ResultActive=auth_admin
258
259
260       and make sure this authorization entry is after the first one.
261
262       The following entry modifies the default authorization decision (it is
263       overridden by any entry that matches using unix-user: or unix-group:,
264       but overrides any defaults set by the application author in an .action
265       file):
266
267           [Disable Access by Default]
268           Identity=default
269           Action=com.example.awesomeproduct.*
270           ResultAny=no
271           ResultInactive=no
272           ResultActive=no
273
274

FILES

276       /etc/polkit-1/localauthority, /var/lib/polkit-1/localauthority
277           Default directories containing decision configuration files.
278

AUTHOR

280       Written by David Zeuthen <davidz@redhat.com> with a lot of help from
281       many others. Adapted by Miloslav Trmač <mitr@redhat.com>.
282

SEE ALSO

284       polkit(8)
285
286
287
288polkit-pkla-compat                 May 2013              PKLA-CHECK-AUTHORI(8)
Impressum