1PKLA-CHECK-AUTHORI(8) pkla-check-authorization PKLA-CHECK-AUTHORI(8)
2
6 pkla-check-authorization - Evaluate pklocalauthority authorization
7 configuration
8
10 pkla-check-authorization [--help]
11 pkla-check-authorization [--paths paths] {user-name} {is-local}
13 {is-active} {action}
14
16 pkla-check-authorization interprets non-JavaScript configuration files
17 described below to determine the response of polkit(8) to authorization
18 queries.
19 Note: Authorization decision evaluation is driven by JavaScript rules
21 as described in polkit(8). pkla-check-authorization is called by a
22 JavaScript rule file named 49-polkit-pkla-compat.rules; other
23 JavaScript rules with a higher priority may exist, so the
24 pkla-check-authorization configuration may not necessarily govern the
25 final polkit(8) authorization decision.
26 The ordering of the JavaScript rule files and the ordering of
28 pkla-check-authorization configuration files is not integrated and uses
29 different rules; the pkla-check-authorization configuration evaluation
30 is happens at a single point within the JavaScript rule evaluation
31 order.
32 pkla-check-authorization is an internal helper program of
34 pkla-polkit-compat. You shouldn't need to run it directly, except for
35 debugging purposes.
36 The arguments to pkla-check-authorization are, in order:
38 user-name
40 Name of the user account asking for authorization
41 is-local
43 Whether the attempted action is performed from a local login
44 session, true or false.
45 is-active
47 Whether the attempted action is performed from a currently active
48 session (e.g. currently active virtual console), true or false.
49 action
51 A string identifying the polkit(8) action.
52 If the configuration specifies an authorization decision,
54 pkla-check-authorization outputs the decision and a terminating
55 newline. If no decision is configured, the output is empty.
56
58 -h, --help
59 Write a summary of the available options to standard output and
60 exit successfully.
61 -p, --paths=paths
63 Search for configuration files in semicolon-separated paths instead
64 of the default
65 /var/lib/polkit-1/localauthority;/etc/polkit-1/localauthority.
66
68 pkla-check-authorization exits with 0 on success (even if there is no
69 decision configured), and a non-zero status on error.
70
72 Files with .pkla extension are read from all directories located inside
73 the /etc/polkit-1/localauthority and /var/lib/polkit-1/localauthority
74 directories (or as specified using the --paths option). By default, the
75 following sub-directories are installed.
76 /etc/polkit-1/
78 `-- localauthority
79 |-- 10-vendor.d
80 |-- 20-org.d
81 |-- 30-site.d
82 |-- 50-local.d
83 `-- 90-mandatory.d
84 and
87 /var/lib/polkit-1/
89 `-- localauthority
90 |-- 10-vendor.d
91 |-- 20-org.d
92 |-- 30-site.d
93 |-- 50-local.d
94 `-- 90-mandatory.d
95 The /etc/polkit-1/localauthority hierarchy is intended for local
98 configuration and the /var/lib/polkit-1/localauthority is intended for
99 3rd party packages.
100 Each .pkla file contains one or more authorization entries. If the
102 underlying filesystem supports file monitoring, the Local Authority
103 will reload information whenever .pkla files are added, removed or
104 changed.
105 Each directory is intended for a specific audience
107 10-vendor.d
109 Intended for use by the OS vendor.
110 20-org.d
112 Intended for the organization deploying the OS.
113 30-site.d
115 Intended for the site deploying the system.
116 50-local.d
118 Intended for local usage.
119 90-mandatory.d
121 Intended for the organization deploying the OS.
122 and new directories can be added/removed as needed.
124 As to regards to the content, each .pkla file is a standard key file
126 and contains key/value pairs in one or more groups with each group
127 representing an authorization entry. A .pkla file MUST be named by
128 using a scheme to ensure that the name is unique, e.g. reverse DNS
129 notation or similar. For example, if the organization is “Acme Corp”
130 needs to modify policy for the product “Frobnicator”, a name like
131 com.acme.frobnicator.pkla would be suitable.
132
134 Each group in a .pkla file must have a name that is unique within the
135 file it belongs to. The following keys are recognized:
136 Identity
138 A semi-colon separated list of entries to match identities. Each
139 entry should start with unix-user: or unix-group: to specify
140 whether to match on a UNIX user name or a UNIX group name, and
141 continue with a glob matching the group or user name. Netgroups are
142 supported with the unix-netgroup: prefix, but cannot support glob
143 syntax. Finally, an entry "default" (with no prefix) can be used to
144 specify the default match.
145 Action
147 A semi-colon separated list of globs to match action identifiers.
148 ResultActive
150 The result to return for subjects in an active local session that
151 matches one or more of the given identities. Allowed values are
152 similar to what can be used in the defaults section of .policy
153 files used to define actions, e.g. yes, no, auth_self,
154 auth_self_keep, auth_admin and auth_admin_keep.
155 ResultInactive
157 Like ResultActive but instead applies to subjects in inactive local
158 sessions.
159 ResultAny
161 Like ResultActive but instead applies to any subject.
162 All keys specified above are required except that only at least one of
164 ResultAny, ResultInactive and ResultActive must be present.
165
167 The authorization entries discussed above are consulted using the
168 following algorithm.
169 The authorization entries from all .pkla files are ordered using the
171 following rules. First all the basename of all sub-directories (e.g.
172 30-site.d) from both the /etc/polkit-1/localauthority and
173 /var/lib/polkit-1/localauthority directories are enumerated and sorted
174 (using the C locale). If a name exists in both /etc and /var, the one
175 in /etc takes precedence. Then all .pkla files are read in order from
176 this list of sub-directories. For each .pkla file, authorizations from
177 each file are appended in order resulting in an ordered list of
178 authorization entries.
179 For example, given the following files
181 /var/lib/polkit-1
183 └── localauthority
184 ├── 10-vendor.d
185 │ └── 10-desktop-policy.pkla
186 ├── 20-org.d
187 ├── 30-site.d
188 ├── 50-local.d
189 ├── 55-org.my.company.d
190 │ └── 10-org.my.company.product.pkla
191 └── 90-mandatory.d
192 /etc/polkit-1
194 └── localauthority
195 ├── 10-vendor.d
196 │ └── 01-some-changes-from-a-subvendor.pkla
197 ├── 20-org.d
198 ├── 30-site.d
199 ├── 50-local.d
200 ├── 55-org.my.company.d
201 │ └── 10-org.my.company.product.pkla
202 └── 90-mandatory.d
203 the evaluation order of the .pkla files is:
206 1. 10-desktop-policy.pkla
208 2. 01-some-changes-from-a-subvendor.pkla
210 3. 10-org.my.company.product.pkla (the /var one)
212 4. 10-org.my.company.product.pkla (the /etc one)
214 When the list of authorization entries has been calculated, the
216 authorization check can be made. First, the user of the Subject is
217 determined and the groups that the user belongs are looked up.
218 Then, authorization entries that include the "default" field value in
220 the Identity field are consulted in order. If the authorization entry
221 matches the data from the authorization check, then the authorization
222 result from RequireAny, RequireInactive or RequireActive is used.
223 Next, for each group identity, all authorization entries that contain a
225 matching group entry are again consulted in the same manner.
226 Finally, the authorization entries are consulted using the user
228 identity in the same manner.
229 Note that processing continues even after a match. This allows for so
231 called “negative authorizations”, see the section called “EXAMPLE” for
232 further discussion.
233
235 The following .pkla file grants authorization to all users in the staff
236 group for actions matching the glob com.example.awesomeproduct.*
237 provided they are in an active session on the local console:
238 [Normal Staff Permissions]
240 Identity=unix-group:staff
241 Action=com.example.awesomeproduct.*
242 ResultAny=no
243 ResultInactive=no
244 ResultActive=yes
245 If the users homer and grimes are member of the staff group but policy
248 requires that an administrator needs to authenticate every time
249 authorization for any action matching com.example.awesomeproduct.* is
250 required, one would add
251 [Exclude Some Problematic Users]
253 Identity=unix-user:homer;unix-user:grimes
254 Action=com.example.awesomeproduct.*
255 ResultAny=no
256 ResultInactive=no
257 ResultActive=auth_admin
258 and make sure this authorization entry is after the first one.
261 The following entry modifies the default authorization decision (it is
263 overridden by any entry that matches using unix-user: or unix-group:,
264 but overrides any defaults set by the application author in an .action
265 file):
266 [Disable Access by Default]
268 Identity=default
269 Action=com.example.awesomeproduct.*
270 ResultAny=no
271 ResultInactive=no
272 ResultActive=no
273
276 /etc/polkit-1/localauthority, /var/lib/polkit-1/localauthority
277 Default directories containing decision configuration files.
278
280 Written by David Zeuthen <davidz@redhat.com> with a lot of help from
281 many others. Adapted by Miloslav Trmač <mitr@redhat.com>.
282
284 polkit(8)
285polkit-pkla-compat May 2013 PKLA-CHECK-AUTHORI(8)