接口定义 (Actions) 接口定义使用 XML 对操作进行了描述,并定义了默认的访问策略。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 $ pkaction com.mesonbuild.install.run com.redhat.tuned.active_profile com.redhat.tuned.auto_profile org.freedesktop.NetworkManager.enable-disable-connectivity-check org.freedesktop.NetworkManager.enable-disable-network org.freedesktop.NetworkManager.enable-disable-statistics org.freedesktop.NetworkManager.enable-disable-wifi org.freedesktop.NetworkManager.enable-disable-wimax org.freedesktop.NetworkManager.enable-disable-wwan org.freedesktop.NetworkManager.network-control org.freedesktop.NetworkManager.reload org.freedesktop.NetworkManager.settings.modify.global-dns org.freedesktop.NetworkManager.settings.modify.hostname org.freedesktop.NetworkManager.settings.modify.own org.freedesktop.NetworkManager.settings.modify.system org.freedesktop.systemd1.manage-unit-files org.freedesktop.systemd1.manage-units org.freedesktop.systemd1.reload-daemon $ pkaction -a org.freedesktop.systemd1.manage-units --verbose org.freedesktop.systemd1.manage-units: description: Manage system services or units message: Authentication is required to manage system services or units. vendor: The systemd Project vendor_url: http://www.freedesktop.org/wiki/Software/systemd icon: implicit any: auth_admin implicit inactive: auth_admin implicit active: auth_admin_keep
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 $ sudo tree /usr/share/polkit-1/ /usr/share/polkit-1/ ├── actions │ ├── com.mesonbuild.install.policy │ ├── com.redhat.tuned.policy │ ├── org.fedoraproject.setroubleshootfixit.policy │ ├── org.freedesktop.hostname1.policy │ ├── org.freedesktop.import1.policy │ ├── org.freedesktop.locale1.policy │ ├── org.freedesktop.login1.policy │ ├── org.freedesktop.machine1.policy │ ├── org.freedesktop.NetworkManager.policy │ ├── org.freedesktop.policykit.policy │ ├── org.freedesktop.systemd1.policy │ ├── org.freedesktop.timedate1.policy │ ├── org.gnome.gconf.defaults.policy │ └── org.x.xf86-video-intel.backlight-helper.policy └── rules.d
策略 (Authorization rules) 策略定义了自定义的授权规则,即通过这些规则给普通用户开放原本需要特权用户权限才能访问的操作。
1 2 3 4 5 6 7 8 9 10 11 12 $ sudo tree /etc/polkit-1/ /etc/polkit-1/ ├── localauthority │ ├── 10-vendor.d │ ├── 20-org.d │ ├── 30-site.d │ ├── 50-local.d │ └── 90-mandatory.d ├── localauthority.conf.d └── rules.d ├── 49-polkit-pkla-compat.rules └── 50-default.rules
需要注意的是,PolKit < 0.106 版本仅支持 .pkla
KV 键值对形式的策略配置语法,而不支持新的基于 JavaScript 脚本的 .rules
策略配置语法。
但即使是 Ubuntu 20.04 仍然使用的是非常老的版本(即 Polkit 改名前的版本 PolicyKit):
1 2 $ pkexec --version pkexec version 0.105
在 CentOS 上,polkit-pkla-compat 会兼容处理 .pkla
策略:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 $ rpm -qi polkit-pkla-compat-0.1-4.el7.x86_64 Name : polkit-pkla-compat Version : 0.1 Release : 4.el7 Architecture: x86_64 Install Date: Sat 09 Jan 2016 09:20:42 PM CST Group : Unspecified Size : 82409 License : LGPLv2+ Signature : RSA/SHA256, Fri 04 Jul 2014 12:32:08 PM CST, Key ID 24c6a8a7f4a80eb5 Source RPM : polkit-pkla-compat-0.1-4.el7.src.rpm Build Date : Tue 10 Jun 2014 06:08:34 AM CST Build Host : worker1.bsys.centos.org Relocations : (not relocatable) Packager : CentOS BuildSystem <http://bugs.centos.org> Vendor : CentOS URL : https://fedorahosted.org/polkit-pkla-compat/ Summary : Rules for polkit to add compatibility with pklocalauthority Description : A polkit JavaScript rule and associated helpers that mostly provide compatibility with the .pkla file format supported in polkit <= 0.105 for users of later polkit releases.
.pkla
策略的语法可以参考 pkla-check-authorization 命令的 man 手册页,而 .rules
策略实际上就是 js 代码:
1 2 3 4 5 6 7 8 9 10 $ sudo cat /etc/polkit-1/rules.d/10-units.rules polkit.addRule(function (action, subject) { if (action.id == "org.freedesktop.systemd1.manage-units" && subject.isInGroup("runsisi" )) { polkit.log(action); polkit.log(subject); return polkit.Result.YES; } })
在 CentOS 下,polkit.log
记录的日志在如下位置:
1 2 3 $ sudo cat /var/log/secure polkitd[7470]: /etc/polkit-1/rules.d/10-units.rules:6: [Action id ='org.freedesktop.systemd1.manage-units' ] polkitd[7470]: /etc/polkit-1/rules.d/10-units.rules:7: [Subject pid=3474460 user='runsisi' groups =runsisi seat='' session='1260' local =false active=true ]
需要注意的是,配置操作 systemd service 的策略时,仅 systemd v226+ 版本支持访问 unit
和 verb
属性:
1 2 3 4 5 6 7 8 9 10 11 12 13 $ sudo cat /etc/polkit-1/rules.d/10-units.rules polkit.addRule(function (action, subject) { if (action.id == "org.freedesktop.systemd1.manage-units" && subject.user == "runsisi" && subject.isInGroup("runsisi" )) { if (action.lookup("unit" ) == "chronyd.service" ) { var verb = action.lookup("verb" ); if (verb == "start" || verb == "stop" || verb == "restart" ) { return polkit.Result.YES; } } } })
参考资料 polkit Reference Manual
https://www.freedesktop.org/software/polkit/docs/latest/
PolicyKit Library Reference Manual
http://www.manpagez.com/html/PolicyKit/PolicyKit-0.9/model-theory-of-operation.php
Polkit
https://wiki.archlinux.org/index.php/Polkit
Authorization with PolKit
https://documentation.suse.com/sled/15-SP1/html/SLED-all/cha-security-policykit.html
Using PolicyKit to allow non-root users to start and stop a service
https://stackoverflow.com/questions/61480914/using-policykit-to-allow-non-root-users-to-start-and-stop-a-service
PolicyKit rules never come into effect
https://askubuntu.com/questions/536591/policykit-rules-never-come-into-effect
Polkit
https://lauri.xn--vsandi-pxa.com/cfgmgmt/polkit.html
Provide unit name and operation in manage-units polkit checks (v2)
https://github.com/systemd/systemd/pull/1159