This subchapter looks at polkit, a UNIX (and Linux) command.
polkit is used to control system-wide privileges.
Teach Yourself UNIX/Linux System Administration and Shell Programming
table of contents
If you like the idea of this project,
then please donate some money.
more information on donating
This subchapter looks at polkit, a UNIX (and Linux) command.
polkit is used to control system-wide privileges.
polkit can be used to run privileged commands by typing pkexec, followed by the intended command:
$ pkexec cat README
It is generally recommended to use sudo rather than pkexec, because sudo provides greater flexibity and security.
While polkit is not part of the official Mac OS X release from Apple, it can be installed on mac OS X.
pkexec never does any validation of the ARGUMENTS passed to a program.
X11 (and other graphic) programs won’t run by default with polkit because the $DISPLAY environment variable is not set. The following information from the pkexec manual describes how to set pkexec so that it can run a graphic program.
To specify what kind of authorization is needed to execute the program /usr/bin/pk-example-frobnicate as another user, simply write an action definition file like this <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE policyconfig PUBLIC "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN" "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd"> <policyconfig> <vendor>Examples for the PolicyKit Project</vendor> <vendor_url>http://hal.freedesktop.org/docs/PolicyKit/</vendor_url> <action id="org.freedesktop.policykit.example.pkexec.run-frobnicate"> <description>Run the PolicyKit example program Frobnicate</description> <description xml:lang="da">Kør PolicyKit eksemplet Frobnicate</description> <message>Authentication is required to run the PolicyKit example program Frobnicate</message> <message xml:lang="da">Autorisering er påkrævet for at afvikle PolicyKit eksemplet Frobnicate</message> <icon_name>audio-x-generic</icon_name> <defaults> <allow_any>no</allow_any> <allow_inactive>no</allow_inactive> <allow_active>auth_self_keep</allow_active> </defaults> <annotate key="org.freedesktop.policykit.exec.path">/usr/bin/pk-example-frobnicate</annotate> </action> </policyconfig> and drop it in the /usr/share/polkit-1/actions directory under a suitable name (e.g. matching the namespace of the action). Note that in addition to specifying the program, the authentication message, description, icon and defaults can be specified. For example, for the action defined above, the following authentication dialog will be shown: [IMAGE][2] +----------------------------------------------------------+ | Authenticate [X] | +----------------------------------------------------------+ | | | [Icon] Authentication is required to run the PolicyKit | | example program Frobnicate | | | | An application is attempting to perform an | | action that requires privileges. Authentication | | is required to perform this action. | | | | Password: [__________________________________] | | | | [V] Details: | | Command: /usr/bin/pk-example-frobnicate | | Run As: Super User (root) | | Action: org.fd.pk.example.pkexec.run-frobnicate | | Vendor: Examples for the PolicyKit Project | | | | [Cancel] [Authenticate] | +----------------------------------------------------------+ If the user is using the da_DK locale, the dialog looks like this: [IMAGE][3] +----------------------------------------------------------+ | Autorisering [X] | +----------------------------------------------------------+ | | | [Icon] Autorisering er p渓rセvet for at afvikle | | PolicyKit eksemplet Frobnicate | | | | Et program forsソger at udfソre en handling der | | krセver privilegier. Autorisering er p渓rセvet. | | | | Kodeord: [___________________________________] | | | | [V] Detaljer: | | Bruger: Super User (root) | | Program: /usr/bin/pk-example-frobnicate | | Handling: org.fd.pk.example.pkexec.run-frobnicate | | Vendor: Examples for the PolicyKit Project | | | | [Annull屍] [Autorisering] | +----------------------------------------------------------+ Note that pkexec does no validation of the ARGUMENTS passed to PROGRAM. In the normal case (where administrator authentication is required every time pkexec is used), this is not a problem since if the user is an administrator he might as well just run pkexec bash to get root. However, if an action is used for which the user can retain authorization (or if the user is implicitly authorized), such as with pk-example-frobnicate above, this could be a security hole. Therefore, as a rule of thumb, programs for which the default required authorization is changed, should never implicitly trust user input (e.g. like any other well-written suid program).
Coding example: I am making heavily documented and explained open source code for a method to play music for free — almost any song, no subscription fees, no download costs, no advertisements, all completely legal. This is done by building a front-end to YouTube (which checks the copyright permissions for you).
View music player in action: www.musicinpublic.com/.
Create your own copy from the original source code/ (presented for learning programming).
return to table of contents
free downloadable college text book
free downloadable system administrator and shell programming book
Because I no longer have the computer and software to make PDFs, the book is available as an HTML file, which you can convert into a PDF.
Teach Yourself UNIX/Linux System Administration and Shell Programming
Building a free downloadable text book on computer programming for university, college, community college, and high school classes in computer programming.
If you like the idea of this project,
then please donate some money.
send donations to:
Milo
PO Box 1361
Tustin, California 92781
Supporting the entire project:
If you have a business or organization that can support the entire cost of this project, please contact Pr Ntr Kmt (my church)
Some or all of the material on this web page appears in the
free downloadable college text book on computer programming.
This web site handcrafted on Macintosh computers using Tom Bender’s Tex-Edit Plus and served using FreeBSD .
†UNIX used as a generic term unless specifically used as a trademark (such as in the phrase “UNIX certified”). UNIX is a registered trademark in the United States and other countries, licensed exclusively through X/Open Company Ltd.
Names and logos of various OSs are trademarks of their respective owners.
Copyright © 2014 Milo
Created: January 9, 2014
Last Updated: June 8, 2014
return to table of contents
free downloadable college text book
free downloadable system administrator and shell programming book
