Context Navigation

polkit.xml@ faa948c

Visit:

12.0 12.1 ken/TL2024 ken/tuningfonts lazarus plabs/newcss python3.11 rahul/power-profiles-daemon renodr/vulkan-addition trunk xry111/llvm18

Last change on this file since faa948c was b317cda, checked in by Xi Ruoyao <xry111@…>, 10 months ago

polkit: Expand and fix the command explanation for js102 sed

and demote duktape to recommended (but still keep it required internally
for jhalfs).

Property mode set to 100644

File size: 15.2 KB

Rev	Line
[9d3d8a8]	1	<?xml version="1.0" encoding="ISO-8859-1"?>
	2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
	3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
	4	<!ENTITY % general-entities SYSTEM "../../general.ent">
	5	%general-entities;
	6
[60caf48]	7	<!ENTITY polkit-download-http "https://gitlab.freedesktop.org/polkit/polkit/-/archive/&polkit-version;/polkit-&polkit-version;.tar.gz">
[f47c6a6b]	8	<!ENTITY polkit-download-ftp " ">
[6be3fe3]	9	<!ENTITY polkit-md5sum "36540b837c588e1e77145523bb39f511">
	10	<!ENTITY polkit-size "736 KB">
	11	<!ENTITY polkit-buildsize "6.8 MB (with tests)">
[7d5d3d4]	12	<!ENTITY polkit-time "0.3 SBU (with tests, using parallelism=4)">
[9d3d8a8]	13	]>
	14
[01996ebb]	15	<sect1 id="polkit" xreflabel="Polkit-&polkit-version;">
[9d3d8a8]	16	<?dbhtml filename="polkit.html"?>
	17
	18
[01996ebb]	19	<title>Polkit-&polkit-version;</title>
[9d3d8a8]	20
	21	<indexterm zone="polkit">
[01996ebb]	22	<primary sortas="a-Polkit">Polkit</primary>
[9d3d8a8]	23	</indexterm>
	24
	25	<sect2 role="package">
[01996ebb]	26	<title>Introduction to Polkit</title>
[9d3d8a8]	27
[b84342d6]	28	<para>
[01996ebb]	29	<application>Polkit</application> is a toolkit for defining and handling
[9ca304a]	30	authorizations. It is used for allowing unprivileged processes to
[30f82900]	31	communicate with privileged processes.
[b84342d6]	32	</para>
[9d3d8a8]	33
[479979e]	34	&lfs120_checked;
[27e62762]	35
[9d3d8a8]	36	<bridgehead renderas="sect3">Package Information</bridgehead>
	37	<itemizedlist spacing="compact">
	38	<listitem>
[b84342d6]	39	<para>
	40	Download (HTTP): <ulink url="&polkit-download-http;"/>
	41	</para>
[9d3d8a8]	42	</listitem>
	43	<listitem>
[b84342d6]	44	<para>
	45	Download (FTP): <ulink url="&polkit-download-ftp;"/>
	46	</para>
[9d3d8a8]	47	</listitem>
	48	<listitem>
[b84342d6]	49	<para>
	50	Download MD5 sum: &polkit-md5sum;
	51	</para>
[9d3d8a8]	52	</listitem>
	53	<listitem>
[b84342d6]	54	<para>
	55	Download size: &polkit-size;
	56	</para>
[9d3d8a8]	57	</listitem>
	58	<listitem>
[b84342d6]	59	<para>
	60	Estimated disk space required: &polkit-buildsize;
	61	</para>
[9d3d8a8]	62	</listitem>
	63	<listitem>
[b84342d6]	64	<para>
	65	Estimated build time: &polkit-time;
	66	</para>
[9d3d8a8]	67	</listitem>
	68	</itemizedlist>
[ad539dbe]	69
[7d5d3d4]	70	<!--
[7e280b45]	71	<bridgehead renderas="sect3">Additional Downloads</bridgehead>
	72	<itemizedlist spacing="compact">
[ad539dbe]	73	<listitem>
[4a0b346]	74	<para>
[7e280b45]	75	Required patch:
[4483a9a]	76	<ulink url="&patch-root;/polkit-&polkit-version;-security_fixes-1.patch"/>
[4a0b346]	77	</para>
	78	</listitem>
[b5b1af68]	79	<listitem>
	80	<para>
	81	Required patch:
	82	<ulink url="&patch-root;/polkit-&polkit-version;-js91-1.patch"/>
	83	</para>
	84	</listitem>
[3b40dbb3]	85	</itemizedlist>
[7d5d3d4]	86	-->
[ad539dbe]	87
[01996ebb]	88	<bridgehead renderas="sect3">Polkit Dependencies</bridgehead>
[9d3d8a8]	89
	90	<bridgehead renderas="sect4">Required</bridgehead>
[bb947c32]	91	<para role="required">
[b317cda]	92	<xref linkend="glib2"/>
[4c2be438]	93	</para>
	94
[51dfb3e]	95	<bridgehead renderas="sect4">Recommended</bridgehead>
	96	<para role="recommended">
[b317cda]	97	<!-- For jhalfs just make it required to avoid over-complexity. -->
	98	<xref role="required" linkend="duktape"/>,
[59f6a1f]	99	<xref linkend="gobject-introspection"/>,
[3345cfea]	100	<xref linkend="libxslt"/>,<phrase revision="systemd"> and</phrase>
	101	<xref linkend="linux-pam"/><phrase revision="sysv">, and
	102	<xref linkend="elogind"/>
[7cb4635]	103	</phrase>
[f586237]	104	</para>
	105
[51dfb3e]	106	<note>
[f586237]	107	<para>
[51dfb3e]	108	Since <phrase revision="sysv"><command>elogind</command></phrase>
	109	<phrase revision="systemd"><command>systemd-logind</command></phrase>
	110	uses PAM to register user sessions, it is a good idea to build
	111	<application>Polkit</application> with PAM support so
	112	<phrase revision="sysv"><command>elogind</command></phrase>
	113	<phrase revision="systemd"><command>systemd-logind</command></phrase>
	114	can track <application>Polkit</application> sessions.
[f586237]	115	</para>
	116	</note>
	117
	118
[59f6a1f]	119	<!-- Due to the fact that meson will not autodetect g-i and
	120	has it set to required unless you pass an option, and the likelihood
	121	of users ignoring a command explanation and then sending in mails
	122	regarding KDE or GNOME not working after installing polkit, let's move
	123	it to recommended. See #15640 for logic
[4c2be438]	124	<bridgehead renderas="sect4">Optional (Required if building GNOME)</bridgehead>
	125	<para role="optional">
	126	<xref linkend="gobject-introspection"/>
	127	</para>
[59f6a1f]	128	-->
[9d3d8a8]	129
	130	<bridgehead renderas="sect4">Optional</bridgehead>
[bb947c32]	131	<para role="optional">
[a428935]	132	<xref linkend="gtk-doc"/>,
[14bd41d]	133	<xref linkend="js102"/> (can be used in place of duktape), and
[a428935]	134	<xref linkend="python-dbusmock"/> (for tests)
[f586237]	135	</para>
	136
	137	<bridgehead renderas="sect4" revision="systemd">Required Runtime Dependencies</bridgehead>
	138	<para role="required" revision="systemd">
[96e9478]	139	<xref role="runtime" linkend="systemd"/>
[4c2be438]	140	</para>
[875b4070]	141
[f13e9026]	142	<bridgehead renderas="sect4" id="polkit-agent" xreflabel="Polkit Authentication Agent">
	143	Optional Runtime Dependencies
	144	</bridgehead>
[fee64868]	145	<para role="optional">
	146	One polkit authentication agent for using polkit in the graphical
	147	environment:
	148	<application>polkit-kde-agent</application> in
	149	<xref role="runtime" linkend="plasma5-build"/> for KDE,
	150	the agent built in
	151	<xref role="runtime" linkend="gnome-shell"/> for GNOME3,
	152	<xref role="runtime" linkend="polkit-gnome"/> for XFCE, and
	153	<application>lxpolkit</application> in
[a428935]	154	<xref role="runtime" linkend="lxsession"/> for LXDE
[fee64868]	155	</para>
	156
[875b4070]	157	<note>
[b84342d6]	158	<para>
[f586237]	159	If <xref linkend="libxslt"/> is installed,
	160	then <xref linkend="DocBook"/> and <xref linkend="docbook-xsl"/> are
	161	required. If you have installed <xref linkend="libxslt"/>, but you do
	162	not want to install any of the DocBook packages mentioned, you will
[59f6a1f]	163	need to use <option>-Dman=false</option> in the instructions
[f586237]	164	below.
[b84342d6]	165	</para>
[875b4070]	166	</note>
[9d3d8a8]	167
	168	</sect2>
	169
	170	<sect2 role="installation">
[01996ebb]	171	<title>Installation of Polkit</title>
[9d3d8a8]	172
[b84342d6]	173	<para>
[01996ebb]	174	There should be a dedicated user and group to take control
	175	of the <command>polkitd</command> daemon after it is
	176	started. Issue the following commands as the
	177	<systemitem class="username">root</systemitem> user:
	178	</para>
	179
	180	<screen role="root"><userinput>groupadd -fg 27 polkitd &&
	181	useradd -c "PolicyKit Daemon Owner" -d /etc/polkit-1 -u 27 \
	182	-g polkitd -s /bin/false polkitd</userinput></screen>
	183
[59f6a1f]	184	<para>
[6be3fe3]	185	If using <xref linkend="js102"/>, make the following change (see Command
	186	Explanations below for more information):
[59f6a1f]	187	</para>
	188
[b317cda]	189	<screen><userinput remap="nodump">sed -e 's/JS_Init/JS::DisableJitBackend(); &/' \
[6be3fe3]	190	-i src/polkitbackend/polkitbackendjsauthority.cpp</userinput></screen>
[7e280b45]	191
[6be3fe3]	192	<!--
[7e280b45]	193	<para>
[4483a9a]	194	Apply a patch to fix two security issues:
[7e280b45]	195	</para>
	196
[4483a9a]	197	<screen><userinput remap="pre">patch -Np1 -i ../polkit-&polkit-version;-security_fixes-1.patch</userinput></screen>
[7e280b45]	198
[b5b1af68]	199	<para>
	200	Port this package to use JS-91:
	201	</para>
	202
	203	<screen><userinput remap="pre">patch -Np1 -i ../polkit-&polkit-version;-js91-1.patch</userinput></screen>
[7d5d3d4]	204	-->
[b5b1af68]	205
[01996ebb]	206	<para>
	207	Install <application>Polkit</application> by running the following
[37aba7f]	208	commands:
[b84342d6]	209	</para>
[9d3d8a8]	210
[59f6a1f]	211	<screen revision="systemd"><userinput>mkdir build &&
	212	cd build &&
	213
[91318eb]	214	meson setup .. \
	215	--prefix=/usr \
[60caf48]	216	--buildtype=release \
[59f6a1f]	217	-Dman=true \
	218	-Dsession_tracking=libsystemd-login \
[91318eb]	219	-Dtests=true &&
[59f6a1f]	220	ninja</userinput></screen>
[51dfb3e]	221
[59f6a1f]	222	<screen revision="sysv"><userinput>mkdir build &&
	223	cd build &&
	224
[91318eb]	225	meson setup .. \
	226	--prefix=/usr \
[60caf48]	227	--buildtype=release \
[59f6a1f]	228	-Dman=true \
	229	-Dsession_tracking=libelogind \
[91318eb]	230	-Dtests=true &&
[59f6a1f]	231	ninja</userinput></screen>
	232
[b84342d6]	233	<para>
[8558044]	234	To test the results, first ensure that the system
[bf654b1]	235	<application>D-Bus</application> daemon is running,
	236	and both <xref linkend='dbus-python'/> and
	237	<xref linkend='python-dbusmock'/> are installed.
[8de6bb81]	238	Then run <command>ninja test</command>.
[59f6a1f]	239	</para>
[9d3d8a8]	240
[b84342d6]	241	<para>
	242	Now, as the <systemitem class="username">root</systemitem> user:
	243	</para>
[9d3d8a8]	244
[6be3fe3]	245	<screen role="root"><userinput>ninja install</userinput></screen>
[9d3d8a8]	246
	247	</sect2>
	248
	249	<sect2 role="commands">
	250	<title>Command Explanations</title>
	251
[215c3ea5]	252	<para>
[b317cda]	253	<command>sed -e 's/JS_Init/JS::DisableJitBackend(); &/' ...
	254	</command>: The JIT compiling of JS102 needs W+X mapping which
	255	is dangerous and is not permitted by the
	256	<application>systemd</application> unit file shipped within the polkit
	257	package. This command is not strictly needed on systems based on
	258	sysvinit but it still improves security. It has no effect if building
	259	polkit with the recommended <xref linkend='duktape'/> Javascript
	260	engine.
[215c3ea5]	261	</para>
	262
[7e280b45]	263	<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
	264	href="../../xincludes/meson-buildtype-release.xml"/>
	265
[492cca2c]	266	<para>
	267	<parameter>-Dtests=true</parameter>: This switch allows to run the
	268	test suite of this package. As <application>Polkit</application> is
	269	used for authorizations, its integrity can affect system security.
	270	So it's recommended to run the test suite building this package.
	271	</para>
	272
[7d5d3d4]	273	<para>
[0c72a8b]	274	<option>-Djs_engine=mozjs</option>: This switch allows using the
	275	<xref linkend="js102"/> JavaScript engine instead of the
	276	<xref linkend='duktape'/> JavaScript engine.
[7d5d3d4]	277	</para>
	278
[59f6a1f]	279	<!--
[4a0b346]	280	<para revision="sysv">
[59f6a1f]	281	<parameter>- -disable-libsystemd-login</parameter>: This switch forces
[4a0b346]	282	polkit to build with elogind support (if available) rather than
	283	systemd-logind.
	284	</para>
	285
[7a9a7b26]	286
[ad539dbe]	287	<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
	288	href="../../xincludes/static-libraries.xml"/>
[59f6a1f]	289	-->
[7a9a7b26]	290
[1121404]	291	<para>
	292	<option>-Dos_type=lfs</option>: Use this switch if you did not create
	293	the <filename>/etc/lfs-release</filename> file or distribution auto
	294	detection will fail and you will be unable to use
	295	<application>Polkit</application>.
	296	</para>
	297
[51dfb3e]	298	<para>
[59f6a1f]	299	<option>-Dauthfw=shadow</option>: This switch enables the
[f586237]	300	package to use the <application>Shadow</application> rather than the
	301	<application>Linux PAM</application> Authentication framework. Use it
	302	if you have not installed <application>Linux PAM</application>.
[b84342d6]	303	</para>
	304
[59f6a1f]	305	<!--
[e05cd03f]	306	<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
[51dfb3e]	307	href="../../xincludes/gtk-doc-rebuild.xml"/>
[59f6a1f]	308	-->
	309
	310	<para>
	311	<option>-Dintrospection=false</option>: Use this option if you are certain
	312	that you do not need gobject-introspection files for polkit, or do not have
	313	gobject-introspection installed.
	314	</para>
	315
	316	<para>
	317	<option>-Dman=false</option>: Use this option to disable generating and
	318	installing manual pages. This is useful if libxslt is not installed.
	319	</para>
	320
	321	<para>
	322	<option>-Dexamples=true</option>: Use this option to build the example
	323	programs.
	324	</para>
	325
	326	<para>
	327	<option>-Dgtk_doc=true</option>: Use this option to enable building and
	328	installing the API documentation.
	329	</para>
[51dfb3e]	330
[9d3d8a8]	331	</sect2>
	332
	333	<sect2 role="content">
	334	<title>Contents</title>
	335
	336	<segmentedlist>
	337	<segtitle>Installed Programs</segtitle>
	338	<segtitle>Installed Libraries</segtitle>
	339	<segtitle>Installed Directories</segtitle>
	340
	341	<seglistitem>
[b84342d6]	342	<seg>
[59f6a1f]	343	pkaction, pkcheck, <!--pk-example-frobnicate,--> pkexec,
[a428935]	344	pkttyagent, and polkitd
[b84342d6]	345	</seg>
	346	<seg>
[0d7900a]	347	libpolkit-agent-1.so and
[b84342d6]	348	libpolkit-gobject-1.so
	349	</seg>
[028759b]	350	<seg>
[01996ebb]	351	/etc/polkit-1,
	352	/usr/include/polkit-1,
	353	/usr/lib/polkit-1,
[a428935]	354	/usr/share/gtk-doc/html/polkit-1, and
[028759b]	355	/usr/share/polkit-1
[b84342d6]	356	</seg>
[9d3d8a8]	357	</seglistitem>
	358	</segmentedlist>
	359
	360	<variablelist>
	361	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
	362	<?dbfo list-presentation="list"?>
	363	<?dbhtml list-presentation="table"?>
	364
	365	<varlistentry id="pkaction">
	366	<term><command>pkaction</command></term>
	367	<listitem>
[b84342d6]	368	<para>
[4c24eb0a]	369	is used to obtain information about registered PolicyKit actions
[b84342d6]	370	</para>
[9d3d8a8]	371	<indexterm zone="polkit pkaction">
	372	<primary sortas="b-pkaction">pkaction</primary>
	373	</indexterm>
	374	</listitem>
	375	</varlistentry>
	376
	377	<varlistentry id="pkcheck">
	378	<term><command>pkcheck</command></term>
	379	<listitem>
[b84342d6]	380	<para>
[4c24eb0a]	381	is used to check whether a process is authorized for action
[b84342d6]	382	</para>
[9d3d8a8]	383	<indexterm zone="polkit pkcheck">
	384	<primary sortas="b-pkcheck">pkcheck</primary>
	385	</indexterm>
	386	</listitem>
	387	</varlistentry>
	388
[59f6a1f]	389	<!--
[72d90b67]	390	<varlistentry id="pk-example-frobnicate">
	391	<term><command>pk-example-frobnicate</command></term>
	392	<listitem>
	393	<para>
	394	is an example program to test the <command>pkexec</command>
[4c24eb0a]	395	command
[72d90b67]	396	</para>
	397	<indexterm zone="polkit pk-example-frobnicate">
	398	<primary sortas="b-pk-example-frobnicate">pk-example-frobnicate</primary>
	399	</indexterm>
	400	</listitem>
	401	</varlistentry>
[59f6a1f]	402	-->
[7a9a7b26]	403
[9d3d8a8]	404	<varlistentry id="pkexec">
	405	<term><command>pkexec</command></term>
	406	<listitem>
[b84342d6]	407	<para>
[4c24eb0a]	408	allows an authorized user to execute a command as another user
[b84342d6]	409	</para>
[9d3d8a8]	410	<indexterm zone="polkit pkexec">
	411	<primary sortas="b-pkexec">pkexec</primary>
	412	</indexterm>
	413	</listitem>
	414	</varlistentry>
	415
[b84342d6]	416	<varlistentry id="pkttyagent">
	417	<term><command>pkttyagent</command></term>
[9d3d8a8]	418	<listitem>
[b84342d6]	419	<para>
[4c24eb0a]	420	is used to start a textual authentication agent for the subject
[b84342d6]	421	</para>
	422	<indexterm zone="polkit pkttyagent">
	423	<primary sortas="b-pkttyagent">pkttyagent</primary>
[9d3d8a8]	424	</indexterm>
	425	</listitem>
[b84342d6]	426	</varlistentry>
[9d3d8a8]	427
[875b4070]	428	<varlistentry id="polkitd">
[9d3d8a8]	429	<term><command>polkitd</command></term>
	430	<listitem>
[b84342d6]	431	<para>
[0d7900a]	432	provides the org.freedesktop.PolicyKit1 <application>D-Bus</application>
[4c24eb0a]	433	service on the system message bus
[b84342d6]	434	</para>
[875b4070]	435	<indexterm zone="polkit polkitd">
[9d3d8a8]	436	<primary sortas="b-polkitd">polkitd</primary>
	437	</indexterm>
	438	</listitem>
	439	</varlistentry>
	440
	441	<varlistentry id="libpolkit-agent-1">
[4c24eb0a]	442	<term><filename class="libraryfile">libpolkit-agent-1.so</filename></term>
[9d3d8a8]	443	<listitem>
[b84342d6]	444	<para>
[01996ebb]	445	contains the <application>Polkit</application> authentication
[4c24eb0a]	446	agent API functions
[b84342d6]	447	</para>
[9d3d8a8]	448	<indexterm zone="polkit libpolkit-agent-1">
[b84342d6]	449	<primary sortas="c-libpolkit-agent-1">libpolkit-agent-1.so</primary>
[9d3d8a8]	450	</indexterm>
	451	</listitem>
	452	</varlistentry>
	453
	454	<varlistentry id="libpolkit-gobject-1">
[4c24eb0a]	455	<term><filename class="libraryfile">libpolkit-gobject-1.so</filename></term>
[9d3d8a8]	456	<listitem>
[b84342d6]	457	<para>
[4c24eb0a]	458	contains the <application>Polkit</application> authorization API functions
[b84342d6]	459	</para>
[9d3d8a8]	460	<indexterm zone="polkit libpolkit-gobject-1">
[b84342d6]	461	<primary sortas="c-libpolkit-gobject-1">libpolkit-gobject-1.so</primary>
[9d3d8a8]	462	</indexterm>
	463	</listitem>
	464	</varlistentry>
	465
	466	</variablelist>
	467
	468	</sect2>
	469
	470	</sect1>

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: postlfs/security/polkit.xml@ faa948c

Download in other formats: