Use of Javascript rules in polkit

polkit is a service used in Ubuntu that allows unprivileged processes to access system services. It is invoked when you do things like:

  • Change the system date/time.
  • Add/remove users from Settings.
  • Installing/removing software

When you do these a dialog often pops up for your password, though this is configurable by the system administrator.

In Debian and Ubuntu we are running polkit 105, which is almost 8 years old due to upstream switching the configuration backend from a PKLA (keyfile based) format to a more flexible JS format. This was done using the mozjs library which was not considered secure enough at the time to use in Ubuntu.

Example of a PKLA rule:

[Normal Staff Permissions]
Identity=unix-group:staff
Action=com.example.awesomeproduct.*
ResultAny=no
ResultInactive=no
ResultActive=yes

Example of a JS rule:

// Allow systemd-networkd to set timezone, get product UUID,
// and transient hostname
polkit.addRule(function(action, subject) {
    if ((action.id == "org.freedesktop.hostname1.set-hostname" ||
         action.id == "org.freedesktop.hostname1.get-product-uuid" ||
         action.id == "org.freedesktop.timedate1.set-timezone") &&
        subject.user == "systemd-network") {
        return polkit.Result.YES;
    }
});

Obviously the JS rules are a lot more flexible.

I’m currently investigating if we can update to the latest version of polkit (116 at this time) as it is desirable to get back into sync with upstream.

If you are using polkit rules on a system you are running can you comment here if:

  • You are running polkit on Ubuntu and have found the current PKLA format too limiting.
  • You are running other distros using newer versions of polkit with the JS support. Please give your experience of it.
3 Likes

@robert.ancell: that’s long overdue. Good luck in tackling that thing. And thanks!

1 Like