Beyond Linux® From Scratch (System V Edition) - Version 12.0

Chapter 4. Security

Polkit-123

Introduction to Polkit

Polkit is a toolkit for defining and handling authorizations. It is used for allowing unprivileged processes to communicate with privileged processes.

This package is known to build and work properly using an LFS 12.0 platform.

Package Information

Polkit Dependencies

Required

GLib-2.76.4

Recommended

duktape-2.7.0, gobject-introspection-1.76.1, libxslt-1.1.38, Linux-PAM-1.5.3, and elogind-252.9

[Note]

Note

Since elogind uses PAM to register user sessions, it is a good idea to build Polkit with PAM support so elogind can track Polkit sessions.

Optional

GTK-Doc-1.33.2, JS-102.13.0 (can be used in place of duktape), and dbusmock-0.29.1 (for tests)

Optional Runtime Dependencies

One polkit authentication agent for using polkit in the graphical environment: polkit-kde-agent in Plasma-5.27.7 for KDE, the agent built in gnome-shell-44.3 for GNOME3, polkit-gnome-0.105 for XFCE, and lxpolkit in LXSession-0.5.5 for LXDE

[Note]

Note

If libxslt-1.1.38 is installed, then docbook-xml-4.5 and docbook-xsl-nons-1.79.2 are required. If you have installed libxslt-1.1.38, but you do not want to install any of the DocBook packages mentioned, you will need to use -Dman=false in the instructions below.

Installation of Polkit

There should be a dedicated user and group to take control of the polkitd daemon after it is started. Issue the following commands as the root user: 

groupadd -fg 27 polkitd &&
useradd -c "PolicyKit Daemon Owner" -d /etc/polkit-1 -u 27 \
        -g polkitd -s /bin/false polkitd

If using JS-102.13.0, make the following change (see Command Explanations below for more information): 

sed -e 's/JS_Init/JS::DisableJitBackend(); &/' \
    -i src/polkitbackend/polkitbackendjsauthority.cpp

Install Polkit by running the following commands: 

mkdir build &&
cd    build &&

meson setup ..                      \
      --prefix=/usr                 \
      --buildtype=release           \
      -Dman=true                    \
      -Dsession_tracking=libelogind \
      -Dtests=true                  &&
ninja

To test the results, first ensure that the system D-Bus daemon is running, and both D-Bus Python-1.3.2 and dbusmock-0.29.1 are installed. Then run ninja test.

Now, as the root user: 

ninja install

Command Explanations

sed -e 's/JS_Init/JS::DisableJitBackend(); &/' ... : The JIT compiling of JS102 needs W+X mapping which is dangerous and is not permitted by the systemd unit file shipped within the polkit package. This command is not strictly needed on systems based on sysvinit but it still improves security. It has no effect if building polkit with the recommended duktape-2.7.0 Javascript engine.

--buildtype=release: Specify a buildtype suitable for stable releases of the package, as the default may produce unoptimized binaries.

-Dtests=true: This switch allows to run the test suite of this package. As Polkit is used for authorizations, its integrity can affect system security. So it's recommended to run the test suite building this package.

-Djs_engine=mozjs: This switch allows using the JS-102.13.0 JavaScript engine instead of the duktape-2.7.0 JavaScript engine.

-Dos_type=lfs: Use this switch if you did not create the /etc/lfs-release file or distribution auto detection will fail and you will be unable to use Polkit.

-Dauthfw=shadow: This switch enables the package to use the Shadow rather than the Linux PAM Authentication framework. Use it if you have not installed Linux PAM.

-Dintrospection=false: Use this option if you are certain that you do not need gobject-introspection files for polkit, or do not have gobject-introspection installed.

-Dman=false: Use this option to disable generating and installing manual pages. This is useful if libxslt is not installed.

-Dexamples=true: Use this option to build the example programs.

-Dgtk_doc=true: Use this option to enable building and installing the API documentation.

Contents

Installed Programs: pkaction, pkcheck, pkexec, pkttyagent, and polkitd
Installed Libraries: libpolkit-agent-1.so and libpolkit-gobject-1.so
Installed Directories: /etc/polkit-1, /usr/include/polkit-1, /usr/lib/polkit-1, /usr/share/gtk-doc/html/polkit-1, and /usr/share/polkit-1

Short Descriptions

pkaction

is used to obtain information about registered PolicyKit actions

pkcheck

is used to check whether a process is authorized for action

pkexec

allows an authorized user to execute a command as another user

pkttyagent

is used to start a textual authentication agent for the subject

polkitd

provides the org.freedesktop.PolicyKit1 D-Bus service on the system message bus

libpolkit-agent-1.so

contains the Polkit authentication agent API functions

libpolkit-gobject-1.so

contains the Polkit authorization API functions