2013/04/18

gksudo & pkexec (PolicyKit)


gksudo 和 pkexec 是二種有圖形化介面取得 root 權限執行程式的方式。gksudo 是 sudo 的 GTK+ frontent,也因此它與 sudo 是用相同的權限管理設定。

pkexec 是基於 PolicyKit,比起 sudo(gksudo),它提供更彈性權限管理與介面客製化的設定。在 Ubuntu 12.04 上可以在以下地方找到它的設定檔:
  • Actions: /usr/share/polkit-1
  • Local Authorities: /etc/polkit-1
  • 3rd party Authorities: /var/lib/polkit-1
Actions 是設定行為,舉例來說 gparted 的執行權限如下:
$ cat /usr/share/polkit-1/actions/com.ubuntu.pkexec.gparted.policy
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
 "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
<policyconfig>

  <action id="com.ubuntu.pkexec.gparted">
    <message gettext-domain="gparted">Authentication is required to run the GParted Partition Editor</message>
    <icon_name>gparted</icon_name>
    <defaults>
      <allow_any>auth_admin</allow_any>
      <allow_inactive>auth_admin</allow_inactive>
      <allow_active>auth_admin</allow_active>
    </defaults>
    <annotate key="org.freedesktop.policykit.exec.path">/usr/sbin/gparted</annotate>
    <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>
  </action>

</policyconfig>

allow_* 則可根據不同的使用情境設定授權方式,像 auth_admin 就是要求授權對象(user)需有管理權限才能執行,換句話說就是要輸入密碼。詳細不同點可參考下方引用
allow_any, allow_inactive, and allow_active. Inactive sessions are generally remote sessions (SSH, VNC, etc.) whereas active sessions are logged directly into the machine on a TTY or an X display. Allow_any is the setting encompassing both scenarios.
For each of these settings the following options are available:
  • no: The user is not authorized to carry out the action. There is therefore no need for authentification.
  • yes: The user is authorized to carry out the action without any authentification.
  • auth_self: Authentication is required but the user need not be an administrative user.
  • auth_admin: Authentication as an administrative user is require.
  • auth_self_keep: The same as auth_self but, like sudo, the authorization lasts a few minutes.
  • auth_admin_keep: The same as auth_admin but, like sudo, the authorization lasts a few minutes.
 annotate key 的那 2 行則是設定程式路徑及是否允許 GUI。

什麼叫做管理權限呢?在 /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf 設定了若該位使用者為 sudo 或 admin group 便能算是有管理權限
$ cat /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf
[Configuration]
AdminIdentities=unix-group:sudo;unix-group:admin
當然你也可以根據不同 action 設定不同的管理權限及反應。像是在 /var/lib/polkit-1/localauthority/10-vendor.d/com.ubuntu.desktop.pkla 裡有一段
[Disable hibernate by default]
Identity=unix-user:*
Action=org.freedesktop.upower.hibernate
ResultActive=no
裡頭設定了所有使用者(unix-user:*)都不行(ResultActive)用 org.freedesktop.upower.hibernate。

參考資料

No comments: