Polkit? wtf is this again? actually...

May 23, 2017

Official docs https://www.freedesktop.org/software/polkit/docs/latest/
(yeah – desktop!)
Errors probably in vim /var/log/auth.log
grep -r olkit /var/log/*

server polkitd(authority=local): Operator of unix-process:21081:38154187 FAILED to authenticate to gain authorization for action org.freedesktop.systemd1.manage-units for system-bus-name::1.137 [] (owned by unix-user:

root@server:/etc/polkit-1# pkaction
com.ubuntu.apport.apport-gtk-root
com.ubuntu.apport.root-info
com.ubuntu.languageselector.setsystemdefaultlanguage
com.ubuntu.release-upgrader.partial-upgrade
com.ubuntu.release-upgrader.release-upgrade
com.ubuntu.softwareproperties.applychanges
com.ubuntu.update-notifier.pkexec.cddistupgrader
com.ubuntu.update-notifier.pkexec.package-system-locked
org.freedesktop.accounts.change-own-user-data
org.freedesktop.accounts.set-login-option
org.freedesktop.accounts.user-administration
org.freedesktop.hostname1.set-hostname
org.freedesktop.hostname1.set-machine-info
org.freedesktop.hostname1.set-static-hostname
org.freedesktop.locale1.set-keyboard
org.freedesktop.locale1.set-locale
org.freedesktop.login1.attach-device
org.freedesktop.login1.flush-devices
org.freedesktop.login1.hibernate
org.freedesktop.login1.hibernate-ignore-inhibit
org.freedesktop.login1.hibernate-multiple-sessions
org.freedesktop.login1.inhibit-block-idle
org.freedesktop.login1.inhibit-block-shutdown
org.freedesktop.login1.inhibit-block-sleep
org.freedesktop.login1.inhibit-delay-shutdown
org.freedesktop.login1.inhibit-delay-sleep
org.freedesktop.login1.inhibit-handle-hibernate-key
org.freedesktop.login1.inhibit-handle-lid-switch
org.freedesktop.login1.inhibit-handle-power-key
org.freedesktop.login1.inhibit-handle-suspend-key
org.freedesktop.login1.lock-sessions
org.freedesktop.login1.manage
org.freedesktop.login1.power-off
org.freedesktop.login1.power-off-ignore-inhibit
org.freedesktop.login1.power-off-multiple-sessions
org.freedesktop.login1.reboot
org.freedesktop.login1.reboot-ignore-inhibit
org.freedesktop.login1.reboot-multiple-sessions
org.freedesktop.login1.set-reboot-to-firmware-setup
org.freedesktop.login1.set-user-linger
org.freedesktop.login1.set-wall-message
org.freedesktop.login1.suspend
org.freedesktop.login1.suspend-ignore-inhibit
org.freedesktop.login1.suspend-multiple-sessions
org.freedesktop.policykit.exec
org.freedesktop.policykit.lockdown
org.freedesktop.systemd1.manage-unit-files
org.freedesktop.systemd1.manage-units
-> org.freedesktop.systemd1.reload-daemon
org.freedesktop.systemd1.reply-password
org.freedesktop.systemd1.set-environment
org.freedesktop.timedate1.set-local-rtc
org.freedesktop.timedate1.set-ntp
org.freedesktop.timedate1.set-time
org.freedesktop.timedate1.set-timezone
root@server:/etc/polkit-1# pka

<quote from https://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html>

description

A human readable description of the action, e.g. Install unsigned software.

message

A human readable message displayed to the user when asking for credentials when authentication is needed, e.g. Installing unsigned software requires authentication.

defaults

This element is used to specify implicit authorizations for clients. Elements that can be used inside defaults include:

allow_any

Implicit authorizations that apply to any client. Optional.

allow_inactive

Implicit authorizations that apply to clients in inactive sessions on local consoles. Optional.

allow_active

Implicit authorizations that apply to clients in active sessions on local consoles. Optional.

Each of the allow_any, allow_inactive and allow_active elements can contain the following values:

no

Not authorized.

yes

Authorized.

auth_self

Authentication by the owner of the session that the client originates from is required. Note that this is not restrictive enough for most uses on multi-user systems; auth_admin* is generally recommended.

auth_admin

Authentication by an administrative user is required.

auth_self_keep

Like auth_self but the authorization is kept for a brief period (e.g. five minutes). The warning about auth_self above applies likewise.

auth_admin_keep

Like auth_admin but the authorization is kept for a brief period (e.g. five minutes).

annotate

Used for annotating an action with a key/value pair. The key is specified using the the key attribute and the value is specified using the value attribute. This element may appear zero or more times. See below for known annotations.

vendor

Used for overriding the vendor on a per-action basis. Optional.

vendor_url

Used for overriding the vendor URL on a per-action basis. Optional.

</quote>

But: XML? No, bever, never!

Ubuntu uses text
How do I know? Well there is exactly one non-empty file
/etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf
[Configuration]
AdminIdentities=unix-group:sudo;unix-group:admin

Polkit? WTF is this again? Actually... - May 23, 2017 - mw