Polkit rules do not work

[Cecil Westerhof]

When looking at:
https://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html
AUTHORIZATION RULES

Then after changing:
/etc/polkit-1/rules.d/10-auth.rules

New rules should be implemented. But my rule does not work. I could
have written it wrongly, but with journalctl I do not see any logging
at the moment I write the file.

I remember that in some instances Debian uses other locations for
systemd file. Is that the case here also?

--
Cecil Westerhof
Senior Software Engineer
LinkedIn: http://www.linkedin.com/in/cecilwesterhof

[Wildman]

On Mon, 13 Aug 2018 14:09:21 +0200, Cecil Westerhof wrote:

> When looking at:
> https://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html
> AUTHORIZATION RULES
>
> Then after changing:
> /etc/polkit-1/rules.d/10-auth.rules
>
> New rules should be implemented. But my rule does not work. I could
> have written it wrongly, but with journalctl I do not see any logging
> at the moment I write the file.
>
> I remember that in some instances Debian uses other locations for
> systemd file. Is that the case here also?

Try /usr/share/polkit-1/actions/.

--
<Wildman> GNU/Linux user #557453
The cow died so I don't need your bull!

[Cecil Westerhof]

Wildman <best...@yahoo.com> writes:

> On Mon, 13 Aug 2018 14:09:21 +0200, Cecil Westerhof wrote:
>
>> When looking at:
>> https://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html
>> AUTHORIZATION RULES
>>
>> Then after changing:
>> /etc/polkit-1/rules.d/10-auth.rules
>>
>> New rules should be implemented. But my rule does not work. I could
>> have written it wrongly, but with journalctl I do not see any logging
>> at the moment I write the file.
>>
>> I remember that in some instances Debian uses other locations for
>> systemd file. Is that the case here also?
>
> Try /usr/share/polkit-1/actions/.

The example I had used JavaScript. I understood that with Debian you
cannot use JavaScript, but need to use XML. Is that true?
If so, where do I find how to write XML configuration files? Until now
I only found JavaScript examples.

[Cecil Westerhof]

Cecil Westerhof <Ce...@decebal.nl> writes:

> Wildman <best...@yahoo.com> writes:
>
>> On Mon, 13 Aug 2018 14:09:21 +0200, Cecil Westerhof wrote:
>>
>>> When looking at:
>>> https://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html
>>> AUTHORIZATION RULES
>>>
>>> Then after changing:
>>> /etc/polkit-1/rules.d/10-auth.rules
>>>
>>> New rules should be implemented. But my rule does not work. I could
>>> have written it wrongly, but with journalctl I do not see any logging
>>> at the moment I write the file.
>>>
>>> I remember that in some instances Debian uses other locations for
>>> systemd file. Is that the case here also?
>>
>> Try /usr/share/polkit-1/actions/.
>
> The example I had used JavaScript. I understood that with Debian you
> cannot use JavaScript, but need to use XML. Is that true?
> If so, where do I find how to write XML configuration files? Until now
> I only found JavaScript examples.

To explain what I am trying to do. For sudo I have configured:
cecil ALL = NOPASSWD: /bin/systemctl restart vmstatLog
cecil ALL = NOPASSWD: /bin/systemctl status vmstatLog

The first one I want to define in polkit. The second is not necessary
because:
sudo systemctl status vmstatLog
and:
systemctl status vmstatLog

give the same output.

How would I do that?

[Wildman]

On Mon, 13 Aug 2018 18:40:29 +0200, Cecil Westerhof wrote:

> Cecil Westerhof <Ce...@decebal.nl> writes:
>
>> Wildman <best...@yahoo.com> writes:
>>
>>> On Mon, 13 Aug 2018 14:09:21 +0200, Cecil Westerhof wrote:
>>>
>>>> When looking at:
>>>> https://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html
>>>> AUTHORIZATION RULES
>>>>
>>>> Then after changing:
>>>> /etc/polkit-1/rules.d/10-auth.rules
>>>>
>>>> New rules should be implemented. But my rule does not work. I could
>>>> have written it wrongly, but with journalctl I do not see any logging
>>>> at the moment I write the file.

What is the rule?

>>>> I remember that in some instances Debian uses other locations for
>>>> systemd file. Is that the case here also?
>>>
>>> Try /usr/share/polkit-1/actions/.
>>
>> The example I had used JavaScript. I understood that with Debian you
>> cannot use JavaScript, but need to use XML. Is that true?
>> If so, where do I find how to write XML configuration files? Until now
>> I only found JavaScript examples.
>
> To explain what I am trying to do. For sudo I have configured:
> cecil ALL = NOPASSWD: /bin/systemctl restart vmstatLog
> cecil ALL = NOPASSWD: /bin/systemctl status vmstatLog
>
> The first one I want to define in polkit. The second is not necessary
> because:
> sudo systemctl status vmstatLog
> and:
> systemctl status vmstatLog
>
> give the same output.
>
> How would I do that?

Now I'm confused or my knowledge about the policy kit is not
what I thought. It is my understanding that it is used for
starting an X (gui) program with elevated privileges but has
nothing to do with sudo. A program supplied with the policy
kit package called pkexec is used for authentication.

Systemctl is not an X program so that is where my confusion
lies. Also, if you want to start systemctl without a password,
the entry in sudoers should be enough.

Can you provide more info?

--
<Wildman> GNU/Linux user #557453

NACHO CHEESE! NACHO CHEESE!
Well, whose cheese is it?

[Cecil Westerhof]

Wildman <best...@yahoo.com> writes:

> On Mon, 13 Aug 2018 18:40:29 +0200, Cecil Westerhof wrote:
>
>> Cecil Westerhof <Ce...@decebal.nl> writes:
>>
>>> Wildman <best...@yahoo.com> writes:
>>>
>>>> On Mon, 13 Aug 2018 14:09:21 +0200, Cecil Westerhof wrote:
>>>>
>>>>> When looking at:
>>>>> https://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html
>>>>> AUTHORIZATION RULES
>>>>>
>>>>> Then after changing:
>>>>> /etc/polkit-1/rules.d/10-auth.rules
>>>>>
>>>>> New rules should be implemented. But my rule does not work. I could
>>>>> have written it wrongly, but with journalctl I do not see any logging
>>>>> at the moment I write the file.
>
> What is the rule?

polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.systemd1.manage-units" &&
action.lookup("unit") == "vmstatLog.service" &&
action.lookup("verb") == "restart" &&
subject.user == "cecil") {
return polkit.Result.YES;
}
});

I am new to polkit. I want to restart a service not as root, but as
user that is running the service. At the systemd mailing-list I was
told I could use sudo or polkit. I have it working with sudo, but
would prefer polkit.

> Can you provide more info?

The thread on the systemd mailing-list:
https://lists.freedesktop.org/archives/systemd-devel/2018-August/041168.html

[Wildman]

On Mon, 13 Aug 2018 20:39:33 +0200, Cecil Westerhof wrote:

>

Ok, I have something to try. It is untested so UMMV.
I assume you want the password bypassed since you made
the entry in sudoers for sudo. This should do it...

Create a text file called - com.ubuntu.pkexec.systemctl.policy
Place it in - /usr/share/polkit-1/actions/
Use this command - pkexec systemctl user
Place this in the text file -

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
"-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
"http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
<policyconfig>
<action id="org.freedesktop.policykit.pkexec.systemctl">
<defaults>
<allow_any>yes</allow_any>
<allow_inactive>yes</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.exec.path">/bin/systemctl restart vmstatLog</annotate>
</action>
</policyconfig>

If it don't work, try putting quotes around the entry for
policykit.exec.path, "/bin/systemctl restart vmstatLog".
If it still won't work, someone smarter than me will need
to chime in.

--
<Wildman> GNU/Linux user #557453

[Cecil Westerhof]

This would do it for every user (I think) and I only want to do it for
user cecil, but it does not work. :'-(

[Wildman]

You replace "user" in the command with the actual user
name, i.e., cecil.

When you run the command are you getting any errors?

[Cecil Westerhof]

I did not read the message correct. I overlooked the pkexec command.

That means I have to change sudo to pkexec? That does not sound like a
real win.

When using:
pkexec systemctl restart vmstatLog

I get:
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
Authentication is needed to run `/bin/systemctl' as the super user
Authenticating as: Cecil Westerhof,,, (cecil)
Password:

This is with and without quotes.

[Wildman]

That is what must be done if you want to use polkit.

> When using:
> pkexec systemctl restart vmstatLog

That is not the correct command for the command line.

> I get:
> ==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
> Authentication is needed to run `/bin/systemctl' as the super user
> Authenticating as: Cecil Westerhof,,, (cecil)
> Password:
>
> This is with and without quotes.

It is not clear to me what you did. The command line
should be - pkexec systemctl cecil
Is that what you used?

"pkexec systemctl restart vmstatLog" is the execute
path in the .policy file not the command line.

[Cecil Westerhof]

I tried that also. It gives:

==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
Authentication is needed to run `/bin/systemctl' as the super user
Authenticating as: Cecil Westerhof,,, (cecil)
Password:

Also: I only want it to be executed by cecil. In this way it (if it
would work) it could be done by anyone. Or am I overlooking something?

> "pkexec systemctl restart vmstatLog" is the execute
> path in the .policy file not the command line.

--

[Wildman]

I can't offer anything more. Until something else comes
along I would suggest going back to using sudo.