1PKLA-ADMIN-IDENTIT(8) pkla-admin-identities PKLA-ADMIN-IDENTIT(8)
2
6 pkla-admin-identities - List pklocalauthority-configured polkit
7 administrators
8
10 pkla-admin-identities [--help]
11 pkla-admin-identities [--config-path config-path]
13
15 pkla-admin-identities interprets configuration files described below to
16 determine which users polkit(8) considers administrators, using a
17 non-JavaScript configuration file format described below.
18 Note: Determining which users are considered administrators is driven
20 by JavaScript rules as described in polkit(8). pkla-admin-identities
21 is called by a JavaScript rule file named 49-polkit-pkla-compat.rules;
22 other JavaScript rules with a higher priority may exist, so the
23 pkla-admin-identities configuration may not necessarily govern the
24 final decision by polkit(8).
25 The ordering of the JavaScript rule files and the ordering of
27 pkla-admin-identities configuration files is not integrated and uses
28 different rules; the pkla-admin-identities configuration evaluation is
29 happens at a single point within the JavaScript rule evaluation order.
30 pkla-admin-identities is an internal helper program of
32 pkla-polkit-compat. You shouldn't need to run it directly, except for
33 debugging purposes.
34 Configuration is read from files with a .conf extension in the
36 /etc/polkit-1/localauthority.conf.d directory. All files are read in
37 lexicographical order (using the C locale), meaning that later files
38 can override earlier ones. The file 50-localauthority.conf contains the
39 settings provided by the OS vendor. Users and 3rd party packages can
40 drop configuration files with a priority higher than 60 to change the
41 defaults. The configuration file format is simple. Each configuration
42 file is a key file (also commonly known as a ini file) with a single
43 group called [Configuration]. Only a single key, AdminIdentities is
44 read. The value of this key is a semi-colon separated list of
45 identities that can be used when administrator authentication is
46 required. Users are specified by prefixing the user name with
47 unix-user:, groups of users are specified by prefixing with
48 unix-group:, and netgroups of users are specified with unix-netgroup:.
49 See the section called “EXAMPLE” for an example of a configuration
50 file.
51 pkla-admin-identities outputs the resulting configuration of
53 administrator identities, one identity per line, using the same format
54 (including e.g. the unix-user: prefix). If no administrator identities
55 are configured in the above-described configuration files, the output
56 will be empty.
57
59 -h, --help
60 Write a summary of the available options to standard output and
61 exit successfully.
62 -c, --config-path=config-path
64 Search for configuration files in config-path instead of the
65 default /etc/polkit-1/localauthority.conf.d.
66
68 pkla-admin-identities exits with 0 on success (even if there are no
69 administrator identities), and a non-zero status on error.
70
72 /etc/polkit-1/localauthority.conf.d
73 Default directory containing configuration files.
74
76 The following .conf file
77 [Configuration]
79 AdminIdentities=unix-group:staff
80 specifies that any user in the staff UNIX group can be used for
83 authentication when administrator authentication is needed. This file
84 would typically be installed in the /etc/polkit-1/localauthority.conf.d
85 directory and given the name 60-desktop-policy.conf to ensure that it
86 is evaluated after the 50-localauthority.conf file shipped with
87 pkla-polkit-compat. If the local administrator wants to override this
88 (suppose 60-desktop-policy.conf was shipped as part of the OS) he can
89 simply create a file 99-my-admin-configuration.conf with the following
90 content
91 [Configuration]
93 AdminIdentities=unix-user:lisa;unix-user:marge
94 to specify that only the users lisa and marge can authenticate when
97 administrator authentication is needed.
98
100 Written by David Zeuthen <davidz@redhat.com> with a lot of help from
101 many others. Adapted by Miloslav Trmač <mitr@redhat.com>.
102
104 polkit(8)
105polkit-pkla-compat May 2013 PKLA-ADMIN-IDENTIT(8)