music |
| | OSdata.com |
polkit
summary
This subchapter looks at polkit, a UNIX (and Linux) command.
polkit is used to control system-wide privileges.
polkit
This subchapter looks at polkit, a UNIX (and Linux) command.
polkit is used to control system-wide privileges.
running privileged commands
polkit
can be used to run privileged commands by typing pkexec
, followed by the intended command:
$ pkexec cat README
sudo alternative
It is generally recommended to use sudo
rather than pkexec
, because sudo
provides greater flexibity and security.
Mac OS X
While polkit is not part of the official Mac OS X release from Apple, it can be installed on mac OS X.
security
pkexec never does any validation of the ARGUMENTS passed to a program.
graphic programs
X11 (and other graphic) programs wont run by default with polkit
because the $DISPLAY environment variable is not set. The following information from the pkexec
manual describes how to set pkexec
so that it can run a graphic program.
To specify what kind of authorization is needed to execute the program
/usr/bin/pk-example-frobnicate as another user, simply write an action
definition file like this
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
"-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
"http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
<policyconfig>
<vendor>Examples for the PolicyKit Project</vendor>
<vendor_url>http://hal.freedesktop.org/docs/PolicyKit/</vendor_url>
<action id="org.freedesktop.policykit.example.pkexec.run-frobnicate">
<description>Run the PolicyKit example program Frobnicate</description>
<description xml:lang="da">Kør PolicyKit eksemplet Frobnicate</description>
<message>Authentication is required to run the PolicyKit example program Frobnicate</message>
<message xml:lang="da">Autorisering er påkrævet for at afvikle PolicyKit eksemplet Frobnicate</message>
<icon_name>audio-x-generic</icon_name>
<defaults>
<allow_any>no</allow_any>
<allow_inactive>no</allow_inactive>
<allow_active>auth_self_keep</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.exec.path">/usr/bin/pk-example-frobnicate</annotate>
</action>
</policyconfig>
and drop it in the /usr/share/polkit-1/actions directory under a
suitable name (e.g. matching the namespace of the action). Note that in
addition to specifying the program, the authentication message,
description, icon and defaults can be specified. For example, for the
action defined above, the following authentication dialog will be
shown:
[IMAGE][2]
+----------------------------------------------------------+
| Authenticate [X] |
+----------------------------------------------------------+
| |
| [Icon] Authentication is required to run the PolicyKit |
| example program Frobnicate |
| |
| An application is attempting to perform an |
| action that requires privileges. Authentication |
| is required to perform this action. |
| |
| Password: [__________________________________] |
| |
| [V] Details: |
| Command: /usr/bin/pk-example-frobnicate |
| Run As: Super User (root) |
| Action: org.fd.pk.example.pkexec.run-frobnicate |
| Vendor: Examples for the PolicyKit Project |
| |
| [Cancel] [Authenticate] |
+----------------------------------------------------------+
If the user is using the da_DK locale, the dialog looks like this:
[IMAGE][3]
+----------------------------------------------------------+
| Autorisering [X] |
+----------------------------------------------------------+
| |
| [Icon] Autorisering er pkržvet for at afvikle |
| PolicyKit eksemplet Frobnicate |
| |
| Et program forsŋger at udfŋre en handling der |
| kržver privilegier. Autorisering er pkržvet. |
| |
| Kodeord: [___________________________________] |
| |
| [V] Detaljer: |
| Bruger: Super User (root) |
| Program: /usr/bin/pk-example-frobnicate |
| Handling: org.fd.pk.example.pkexec.run-frobnicate |
| Vendor: Examples for the PolicyKit Project |
| |
| [Annullr] [Autorisering] |
+----------------------------------------------------------+
Note that pkexec does no validation of the ARGUMENTS passed to PROGRAM.
In the normal case (where administrator authentication is required
every time pkexec is used), this is not a problem since if the user is
an administrator he might as well just run pkexec bash to get root.
However, if an action is used for which the user can retain
authorization (or if the user is implicitly authorized), such as with
pk-example-frobnicate above, this could be a security hole. Therefore,
as a rule of thumb, programs for which the default required
authorization is changed, should never implicitly trust user input
(e.g. like any other well-written suid program).
comments, suggestions, corrections, criticisms
free music player coding example
Coding example: I am making heavily documented and explained open source code for a method to play music for free almost any song, no subscription fees, no download costs, no advertisements, all completely legal. This is done by building a front-end to YouTube (which checks the copyright permissions for you).
View music player in action: www.musicinpublic.com/.
Create your own copy from the original source code/ (presented for learning programming).
Because I no longer have the computer and software to make PDFs, the book is available as an HTML file, which you can convert into a PDF.
Names and logos of various OSs are trademarks of their respective owners.