#polkit — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #polkit, aggregated by home.social.
-
Are you annoyed by the password prompts when doing basically anything on openSUSE?
#polkit is used to manage permissions on most modern Linux distros. The default ruleset on #opensuse is called standard and is pretty strict. Fortunately it ships another ruleset called easy which allow for more actions without entering a password.To switch the ruleset, edit the file /etc/sysconfig/security in the line beginning with POLKIT_DEFAULT_PRIVS. Write "easy" in between the quotations and save. Then run the set_polkit_default_privs command to apply the changes. All as root of course.
Read more: https://en.opensuse.org/openSUSE:Security_Documentation#Configuration_of_Polkit_Settings
-
Are you annoyed by the password prompts when doing basically anything on openSUSE?
#polkit is used to manage permissions on most modern Linux distros. The default ruleset on #opensuse is called standard and is pretty strict. Fortunately it ships another ruleset called easy which allow for more actions without entering a password.To switch the ruleset, edit the file /etc/sysconfig/security in the line beginning with POLKIT_DEFAULT_PRIVS. Write "easy" in between the quotations and save. Then run the set_polkit_default_privs command to apply the changes. All as root of course.
Read more: https://en.opensuse.org/openSUSE:Security_Documentation#Configuration_of_Polkit_Settings
-
TIL (spotted by a friend): #polkit rules are javascript. Yes, you read that right.
https://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html#polkit-rules
Polkit embeds an entire-ass fucking javascript runtime. For a security-critical application.
What the actual fuck. Who thought this was a good idea‽ :thaenkin: :thaenkin: :thaenkin:
-
TIL (spotted by a friend): #polkit rules are javascript. Yes, you read that right.
https://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html#polkit-rules
Polkit embeds an entire-ass fucking javascript runtime. For a security-critical application.
What the actual fuck. Who thought this was a good idea‽ :thaenkin: :thaenkin: :thaenkin:
-
Critical vulnerabilities were disclosed in InputPlumber affecting Linux systems, including SteamOS.
Impact highlights:
• Insufficient D-Bus authorization
• Potential keystroke injection via virtual devices
• Local denial-of-service and information exposureThe fixes emphasize secure Polkit usage, systemd hardening, and proper privilege boundaries.
Share insights and follow @technadu for vendor-neutral security reporting.
#InfoSec #LinuxHardening #VulnerabilityResearch #Polkit #D-Bus #OpenSourceSecurity
-
Linux permissions go beyond chmod. Learn how groups, sudo, and modern policy systems control services, reboot, and system-level authority.
More details here: https://ostechnix.com/linux-permissions-privileges-groups-sudo/
#LinuxPermissions #LinuxPrivileges #LinuxSecurity #Linuxadmin #Linuxcommands #Linuxhowto #sudo #Polkit #Systemd
-
Linux permissions go beyond chmod. Learn how groups, sudo, and modern policy systems control services, reboot, and system-level authority.
More details here: https://ostechnix.com/linux-permissions-privileges-groups-sudo/
#LinuxPermissions #LinuxPrivileges #LinuxSecurity #Linuxadmin #Linuxcommands #Linuxhowto #sudo #Polkit #Systemd
-
This is how to make the “Install pending software updates” checkbox go away in GNOME
If you’re using GNOME, and when you tell it you want to shut down or reboot your system it pops up a confirmation dialog with an “Install pending software update” checkbox in it, and the checkbox is checked by default, and you want to make that checkbox go away or at least be unchecked by default, then you’ve come to the right place.
There’s no perfect way to do this. Below I talk about two imperfect solutions that are available. If you think there should be an easier way, feel free to weigh in here. The GNOME developers are skeptical that anyone wants or needs this, but maybe if enough people ask for it they will reconsider.
Imperfect solution one: Open the preferences for the GNOME Software app and change “Software Updates” there from “Automatic” to “Manual”. Caveats:
- This may only work on systems, such as Fedora-based systems, where PackageKit uses a separate update cache from the system. On APT-based systems (Debian, Ubuntu, and the like), where it appears that PackageKit uses the same update cache as the underlying APT system (as it should!), then when the updates are downloaded outside of GNOME Software, you may still see the checkbox.
- If there were already updates downloaded before you switched from Automatic to Manual, you will get the checkbox. You need to install those updates (either through GNOME Software or with DNF or APT or whatever) and then refresh the GNOME Software Updates tab to make them go away there.
- If you check for updates in the GNOME Software app manually and then click the Download button, you will probably get the checkbox the next time you try to shut down or restart.
Imperfect solution two: Create the file
/etc/polkit-1/rules.d/99-disable-offline-update.rules, owned by user “root” and group “polkitd”, with the following contents:polkit.addRule(function(action, subject) { if ((action.id == "org.freedesktop.packagekit.trigger-offline-update")) { return polkit.Result.NO; } });Caveat: This will disable all attempts to trigger offline updates, not just the checkbox that shows up when you try to shutdown or restart your system. This means, for example, that you won’t be able to trigger “Restart and install…” updates from inside the GNOME Software app either.
#GNOME #PackageKit #Polkit -
This is how to make the “Install pending software updates” checkbox go away in GNOME
If you’re using GNOME, and when you tell it you want to shut down or reboot your system it pops up a confirmation dialog with an “Install pending software update” checkbox in it, and the checkbox is checked by default, and you want to make that checkbox go away or at least be unchecked by default, then you’ve come to the right place.
There’s no perfect way to do this. Below I talk about two imperfect solutions that are available. If you think there should be an easier way, feel free to weigh in here. The GNOME developers are skeptical that anyone wants or needs this, but maybe if enough people ask for it they will reconsider.
Imperfect solution one: Open the preferences for the GNOME Software app and change “Software Updates” there from “Automatic” to “Manual”. Caveats:
- This may only work on systems, such as Fedora-based systems, where PackageKit uses a separate update cache from the system. On APT-based systems (Debian, Ubuntu, and the like), where it appears that PackageKit uses the same update cache as the underlying APT system (as it should!), then when the updates are downloaded outside of GNOME Software, you may still see the checkbox.
- If there were already updates downloaded before you switched from Automatic to Manual, you will get the checkbox. You need to install those updates (either through GNOME Software or with DNF or APT or whatever) and then refresh the GNOME Software Updates tab to make them go away there.
- If you check for updates in the GNOME Software app manually and then click the Download button, you will probably get the checkbox the next time you try to shut down or restart.
Imperfect solution two: Create the file
/etc/polkit-1/rules.d/99-disable-offline-update.rules, owned by user “root” and group “polkitd”, with the following contents:polkit.addRule(function(action, subject) { if ((action.id == "org.freedesktop.packagekit.trigger-offline-update")) { return polkit.Result.NO; } });Caveat: This will disable all attempts to trigger offline updates, not just the checkbox that shows up when you try to shutdown or restart your system. This means, for example, that you won’t be able to trigger “Restart and install…” updates from inside the GNOME Software app either.
#GNOME #PackageKit #Polkit -
Something changed with #Kubuntu 25.10 over the past week. Now all of a sudden I'm getting #prompted for my #sudo #password every time #PackageKit runs to update package sources (which is several times a day)!
Fortunately, you can create a custom #PolKit #rule to let it run without prompting you!sudo nano /etc/polkit-1/rules.d/10-allow-packagekit-refresh.rulespolkit.addRule(function(action, subject) { if (action.id == "org.freedesktop.packagekit.system-sources-refresh" && subject.isInGroup("sudo")) { return polkit.Result.YES; } });
And that seems to work.
#Linux #Ubuntu #KDE #KDE6 #Plasma6 #KDEPlasma6 #Discover #updates -
🚀 quickshell-polkit-agent v2.0.0 is out!
Major architectural overhaul: switched from proactive FIDO detection to a PAM-reactive model. The agent now responds to PAM prompts instead of trying to control auth flow.
✨ What's new:
• GDM-inspired authentication state machine
• 22 integration tests with 100% pass rate
• Podman-based E2E testing infrastructure
• Rich error handling & state tracking APIs
• Performance optimizations (<2ms state transitions)
🔧 Breaking changes:
• Removed auto-FIDO logic (now handled by PAM/pam_u2f)
• Simplified state machine (no more TRYING_FIDO states)
• Cleaner authentication flow: IDLE → INITIATED → WAITING_FOR_PASSWORD → AUTHENTICATING → COMPLETED
🐛 Fixed use-after-free bugs, race conditions, and timeout issues
github.com/bennypowers/quickshell-polkit-agent/releases/tag/v2.0.0
#Linux #Polkit #Qt6 #Authentication #FIDO2 #Quickshell #Gentoo -
A couple notable related writeups
A great primer on #dbus and #polkit that clearly shows how brittle they are
https://u1f383.github.io/linux/2025/05/25/dbus-and-polkit-introduction.htmlAn amazing #linux #kernel #vulnerability research and #exploit development writeup
https://ssd-disclosure.com/ssd-advisory-linux-kernel-hfsplus-slab-out-of-bounds-write/ -
A couple notable related writeups
A great primer on #dbus and #polkit that clearly shows how brittle they are
https://u1f383.github.io/linux/2025/05/25/dbus-and-polkit-introduction.htmlAn amazing #linux #kernel #vulnerability research and #exploit development writeup
https://ssd-disclosure.com/ssd-advisory-linux-kernel-hfsplus-slab-out-of-bounds-write/ -
I'm still puzzled by the fact that the distribution chose to do this
#InfoSec #Linux #distribution #OpenSource #POSIX #POLKIT #DBUS
-
I'm still puzzled by the fact that the distribution chose to do this
#InfoSec #Linux #distribution #OpenSource #POSIX #POLKIT #DBUS
-
Nutzt hier jemand einen kartenleser unter unbuntu linux?
Und das funkzjoniert nach
dist-upgradenicht mehr? Das hier hilft vielleicht. -
2/3
* También depende del entorno gráfico: #gvfs (#gnome, #xfce) o el equivalente en #kde (creo que es #kio), que suelen montar en /run/media.
* Configuraciones personalizadas de #polkit pueden hacer que los usuarios puedan montar discos en diferentes ubicaciones.
* El mismo udisks2 permite cambiar configuraciones para montar automáticamente en otros directorios.
* Y por supuesto, el montaje manual y uso de /etc/fstab puede permitirnos montar directorios no estándar.
👇
-
2/3
* También depende del entorno gráfico: #gvfs (#gnome, #xfce) o el equivalente en #kde (creo que es #kio), que suelen montar en /run/media.
* Configuraciones personalizadas de #polkit pueden hacer que los usuarios puedan montar discos en diferentes ubicaciones.
* El mismo udisks2 permite cambiar configuraciones para montar automáticamente en otros directorios.
* Y por supuesto, el montaje manual y uso de /etc/fstab puede permitirnos montar directorios no estándar.
👇
-
I've daily-driven #OpenSuSE #Tumbleweed in the past. A coupe times, actually.
No real major complaints. Some issues were that the YaST-based installer was kind of obtuse (e.g., very easy to miss the option to set the hostname). I'm not one to hate on YaST. I don't need my configuration tool / systems-management tool to be all pretty or written in Flutter or whatever. But the installer was kind of obtuse, if featureful.
My biggest complaint is that they don't set up #PolKit out of the box, and you're expected to use the root password for things like setting up printers in the GUI. Not to be too snippy, but that was unacceptable in 2005, and it's crazy wrong-headed in 2025. But I know there's a way to set that up, so I need to look into it.
I'm very interested in OpenSuSE #SlowRoll. If that comes out in the next few months, that could be an awesome contender.
So, yeah, actually, thanks for reminding me to look into OpenSuSE some more. :neocat_floof_happy:
-
I've daily-driven #OpenSuSE #Tumbleweed in the past. A coupe times, actually.
No real major complaints. Some issues were that the YaST-based installer was kind of obtuse (e.g., very easy to miss the option to set the hostname). I'm not one to hate on YaST. I don't need my configuration tool / systems-management tool to be all pretty or written in Flutter or whatever. But the installer was kind of obtuse, if featureful.
My biggest complaint is that they don't set up #PolKit out of the box, and you're expected to use the root password for things like setting up printers in the GUI. Not to be too snippy, but that was unacceptable in 2005, and it's crazy wrong-headed in 2025. But I know there's a way to set that up, so I need to look into it.
I'm very interested in OpenSuSE #SlowRoll. If that comes out in the next few months, that could be an awesome contender.
So, yeah, actually, thanks for reminding me to look into OpenSuSE some more. :neocat_floof_happy:
-
I want to try #OpenSuSE #Tumbleweed again. My only turn-off from it was that zypper is a little slow as a cli package manager goes (not a huge deal), and that they didn't have #PolKit enabled by default, so setting up things like your printer required using the root password, which is brain dead.
I really hope they have that last one fixed, because it's just arguably the wrong approach, and should be treated as a bug.
-
I want to try #OpenSuSE #Tumbleweed again. My only turn-off from it was that zypper is a little slow as a cli package manager goes (not a huge deal), and that they didn't have #PolKit enabled by default, so setting up things like your printer required using the root password, which is brain dead.
I really hope they have that last one fixed, because it's just arguably the wrong approach, and should be treated as a bug.
-
💡 Perfctl: una minaccia silenziosa ai server Linux
https://gomoot.com/perfctl-una-minaccia-silenziosa-ai-server-linux
#aqua #aquasecteam #blog #cve #linux #malware #news #picks #polkit #rocketmq #server #sicurezza #stealth #tech #tecnologia
-
💡 Perfctl: una minaccia silenziosa ai server Linux
https://gomoot.com/perfctl-una-minaccia-silenziosa-ai-server-linux
#aqua #aquasecteam #blog #cve #linux #malware #news #picks #polkit #rocketmq #server #sicurezza #stealth #tech #tecnologia
-
-
Okay, what is the modern way to request a password or secret from the user in this day and age?
Pinentry and ssh-askpass is no go and I can't quite grok the dbus secret service from the polkit auth?
-
Okay, what is the modern way to request a password or secret from the user in this day and age?
Pinentry and ssh-askpass is no go and I can't quite grok the dbus secret service from the polkit auth?
-
Herunterfahren und Neustart unter Ubuntu 22.04 deaktivieren:
Mit nur zwei Befehlen verhinderst du effektiv, dass Remote-Benutzer:innen einen virtuellen PC mit Ubuntu 22.04.4 LTS neu starten oder herunterfahren können.
https://andersgood.de/kurz-notiert/herunterfahren-und-neustart-unter-ubuntu-22-04-deaktivieren
-
If you think Windows's User Account Control (UAC) has horrible usability and an awful configuration mechanism, try #polkit.
-
```
stuartl@vk4msl-pi3$ ps axf
…
491 ? Ssl 289:07 /usr/lib/polkit-1/polkitd --no-debug
20844 ? Z 0:00 \_ [pkla-check-auth] <defunct>
20848 ? Z 0:00 \_ [pkla-check-auth] <defunct>
20853 ? Z 0:00 \_ [pkla-check-auth] <defunct>
20857 ? Z 0:00 \_ [pkla-check-auth] <defunct>
20861 ? Z 0:00 \_ [pkla-check-auth] <defunct>
20866 ? Z 0:00 \_ [pkla-check-auth] <defunct>
20871 ? Z 0:00 \_ [pkla-check-auth] <defunct>
24454 ? Z 0:00 \_ [pkla-check-auth] <defunct>
24465 ? Z 0:00 \_ [pkla-check-auth] <defunct>
24479 ? Z 0:00 \_ [pkla-check-auth] <defunct>
24492 ? Z 0:00 \_ [pkla-check-auth] <defunct>
2339 ? Z 0:00 \_ [pkla-check-auth] <defunct>
2360 ? Z 0:00 \_ [pkla-check-auth] <defunct>
21744 ? Z 0:00 \_ [pkla-check-auth] <defunct>
4210 ? Z 0:00 \_ [pkla-check-auth] <defunct>
12967 ? Z 0:00 \_ [pkla-check-auth] <defunct>
14147 ? Z 0:00 \_ [pkla-check-auth] <defunct>
14163 ? Z 0:00 \_ [pkla-check-auth] <defunct>
15966 ? Z 0:00 \_ [pkla-check-auth] <defunct>
25718 ? Z 0:00 \_ [pkla-check-auth] <defunct>
25935 ? Z 0:00 \_ [pkla-check-auth] <defunct>
14663 ? Z 0:00 \_ [pkla-check-auth] <defunct>
10030 ? Z 0:00 \_ [pkla-check-auth] <defunct>
25557 ? Z 0:00 \_ [pkla-check-auth] <defunct>
25575 ? Z 0:00 \_ [pkla-check-auth] <defunct>
25691 ? Z 0:00 \_ [pkla-check-auth] <defunct>
…
```Oookay #polkit, I'll bite… why so many `pkla-check-auth` processes, and why are they in the zombie state? Does someone need the `wait(2)` manpage read to them at bed time?
-
```
stuartl@vk4msl-pi3$ ps axf
…
491 ? Ssl 289:07 /usr/lib/polkit-1/polkitd --no-debug
20844 ? Z 0:00 \_ [pkla-check-auth] <defunct>
20848 ? Z 0:00 \_ [pkla-check-auth] <defunct>
20853 ? Z 0:00 \_ [pkla-check-auth] <defunct>
20857 ? Z 0:00 \_ [pkla-check-auth] <defunct>
20861 ? Z 0:00 \_ [pkla-check-auth] <defunct>
20866 ? Z 0:00 \_ [pkla-check-auth] <defunct>
20871 ? Z 0:00 \_ [pkla-check-auth] <defunct>
24454 ? Z 0:00 \_ [pkla-check-auth] <defunct>
24465 ? Z 0:00 \_ [pkla-check-auth] <defunct>
24479 ? Z 0:00 \_ [pkla-check-auth] <defunct>
24492 ? Z 0:00 \_ [pkla-check-auth] <defunct>
2339 ? Z 0:00 \_ [pkla-check-auth] <defunct>
2360 ? Z 0:00 \_ [pkla-check-auth] <defunct>
21744 ? Z 0:00 \_ [pkla-check-auth] <defunct>
4210 ? Z 0:00 \_ [pkla-check-auth] <defunct>
12967 ? Z 0:00 \_ [pkla-check-auth] <defunct>
14147 ? Z 0:00 \_ [pkla-check-auth] <defunct>
14163 ? Z 0:00 \_ [pkla-check-auth] <defunct>
15966 ? Z 0:00 \_ [pkla-check-auth] <defunct>
25718 ? Z 0:00 \_ [pkla-check-auth] <defunct>
25935 ? Z 0:00 \_ [pkla-check-auth] <defunct>
14663 ? Z 0:00 \_ [pkla-check-auth] <defunct>
10030 ? Z 0:00 \_ [pkla-check-auth] <defunct>
25557 ? Z 0:00 \_ [pkla-check-auth] <defunct>
25575 ? Z 0:00 \_ [pkla-check-auth] <defunct>
25691 ? Z 0:00 \_ [pkla-check-auth] <defunct>
…
```Oookay #polkit, I'll bite… why so many `pkla-check-auth` processes, and why are they in the zombie state? Does someone need the `wait(2)` manpage read to them at bed time?
-
Looking into #Polkit and #Firewalld for... reasons. Was browsing through the #DBus interface for Firewalld and found this. I immediately had a movie scenario in my head when I read about panic mode.
"Sir, multiple incoming connections. They are entering the mainframe. What do we do?!"
"We don't have a choice. Do it!"
"But Sir..."
"DO IT! ENABLE PANIC MODE, NOW!!"
Anyways, time to dig further into the documentation.
-
Error: org.freedesktop.NetworkManager.wifi.scan request failed: not authorized.
This one is quickly eating away my resolve to setup my own Raspberry Pi based astrophotography control computer from scratch...
-
Error: org.freedesktop.NetworkManager.wifi.scan request failed: not authorized.
This one is quickly eating away my resolve to setup my own Raspberry Pi based astrophotography control computer from scratch...
-
Do any #GNOME folx know why polkit-gnome https://gitlab.gnome.org/Archive/policykit-gnome got archived and is considered "legacy" now? What is "the way" to have graphical applications ask for rights through #PolKit #PolicyKit?