I was playing with PolKit/PolicyKit for a few hours, in order to try and understand how it works (I believe Debian still uses PolicyKit).
There is an unexpected behavior, with Gnome Settings that I don’t understand. Maybe someone could enlighten me ?
I am member of sudo group. In Gnome Settings :
“Date & Time” doesn’t need authenticating
“Users” needs authenticating
Nothing unexpected here, since there is a /usr/share/polkit-1/rules.d/gnome-control-center.rules file that explicitly exempts members of the sudo group from authenticating for “Date & Time” :
But then I did 2 tests with unexpected results, which lead me to the conclusion that Gnome Settings ignores this file :
I removed that /usr/share/polkit-1/rules.d/gnome-control-center.rules file, rebooted my laptop, and was surprised that there was still no authentication required for “Date & Time”
Then I restored that file, and added another action to it :
Reboot. I was expecting that Settings → Users doesn’t require authentication anymore, but no, it was still the same behavior : no authentication needed for “Date & Time”, authentication needed for “Users”.
So, the bottom line is that Gnome Settings behavior doesn’t seem to respect /usr/share/polkit-1/rules.d/gnome-control-center.rules, which can even safely be removed without altering Gnome Setting’s behavior.
It’s a good thing you mentioned that you’re using Debian. Debian uses a custom fork of polkit that doesn’t support JavaScript rules. Basically it’s the last version of polkit (from a decade ago) prior to the introduction of JavaScript, plus a bunch of patches from later versions. So that file is useless for you. It’s only compatible with upstream polkit.
Look in /usr/share/polkit-1/actions/org.gnome.controlcenter.user-accounts.policy and org.gnome.controlcenter.datetime.policy for the base policy files. You can’t configure very much with them, but it should be enough for your purposes: just change <allow_active>auth_admin_keep</allow_active> to <allow_active>yes</allow_active>. Actually, that doesn’t explain why you’re able to edit time without checking the policy: maybe gnome-control-center does not actually check the policy in the way we would expect…
P.S. Don’t edit files under /usr. Instead, copy them to /etc and modify them there. /etc belongs to you; /usr belongs to your operating system.
Debian uses a custom fork of polkit that doesn’t support JavaScript rules.
OK, that explains that then. Yes I’ve read that Debian still uses the old PolicyKit, not the newer PolKit (PolicyKit - Debian Wiki).
it should be enough for your purposes: just change <allow_active>auth_admin_keep</allow_active> to <allow_active>yes</allow_active>
Yes, that did the trick, I made that change in org.gnome.controlcenter.user-accounts.policy and now I can change user accounts without authenticating. Thanks
[EDIT]
You can’t configure very much with them, but it should be enough for your purposes: just change
In fact you can. Creating /etc/polkit-1/localauthority/50-local.d/user-accounts.pkla did the trick :
[Allow sudo users to modify users]
Identity=unix-group:sudo
Action=org.gnome.controlcenter.user-accounts.administration
ResultActive=yes
Actually, that doesn’t explain why you’re able to edit time without checking the policy: maybe gnome-control-center does not actually check the policy in the way we would expect…
Nope, mystery solved !
There’s a /var/lib/polkit-1/localauthority/10-vendor.d\gnome-control-center.pkla file :
[Allow admins to set the hostname,locale,keyboard,date/time without prompting]
Identity=unix-group:admin;unix-group:sudo
Action=org.freedesktop.locale1.set-locale;org.freedesktop.locale1.set-keyboard;org.freedesktop.hostname1.set-static-hostname;org.freedesktop.hostname1.set-hostname;org.gnome.controlcenter.datetime.configure
ResultActive=yes
