SUKAATO's Hypomnema

20250712145541-Linux_Policykit_Utility

3 min read

Linux Policykit Utility

From bib. source

The polkit (PolicyKit) toolkit provides a different way of delegating privileges than sudo does. The polkit daemon works with systemd to permit administrators to delegate more granular control to users than sudo allows. Unlike sudo, polkit does not grant full root access to a process but instead grants specific access to defined actions.

The difference between PolicyKit or polkit, short for Policy Toolkit, and using sudo with the sudoers file (refer to 20250712144809-Linux_Superusers), is that PolicyKit is a SystemD daemon service while sudo is just an administrative delegation software (Garn 2022, 51).

The reason that PolicyKit is a SystemD daemon is that that allows it to take advantage of SystemD features to control what particular actions are permissible for given users independent of the root access users have to specific files or processes (Ibid). Consequently, PolicyKit can be seen as allowing supplementary prohibitions on users after administrative privileges have been defined for user accounts when using sudo in filepath /etc/sudoers. Or supplementary allowances that may or may not nonetheless need authentication through sudo all the same.

Configuring PolicyKit

PolicyKit is configured by writing text files that contain specified actions or processes, and then rules or policies in other text files that reference those actions or processes (Ibid). The former are stored at directory path /usr/share/polkit-1/actions with a .policy file extension, while the latter are stored at directory path /etc/polkit-t/rules.d for local policies or /etc/share/polkit-1/rules.d for third-party policies with a .rules file extension (Ibid). The former (the actions or processes referred to as policies) are in an XML or Extensible Markup Language format, while the latter (the rules on those policies/actions/processes) are in a JSON or JavaScript Object Notation format (Ibid).

Once a “rule” and its corresponding “policy” is written (Ibid):

From bib. source

When a user attempts an action, the rules are checked to determine success or failure.

The primary commands related to PolicyKit are as follows (Ibid):

  • The pkexec primary command, which allows an authorized user to execute an action.
  • The pkaction primary command, which displays details about an action.
  • The pkcheck primary command, which displays whether a process or action is authorized.
  • The pkttyagent primary command, which provides a text-based authentication agent.

Using pkexec in particular would involve typing and executing something like:

pkexec $PROGRAM $ARGUMENT

system_administration policy_kit privilege_escalation Policy_Toolkit SystemDaemon System_Daemon administrator administrators administrative_account administrative_accounts administrative_user_account administrative_user_accounts account user directory_path filepaths file_path file_paths policy rule file_extension file_format file_formats Extensible_Markup_Language JavaScript_Object_Notation authentication_agent

bibliography

  • Garn, Damon. The Official CompTIA Linux+ Student Guide (Exam XK0-005). 1.0. Downers Grove, IL: CompTIA, 2022.

Graph View