brandon/oam
1
0
Fork 0
mirror of https://gitea.com/mcereda/oam.git synced 2026-02-09 05:44:23 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
60404eabbee6d2f9c114a06a0e2a83e99f64f9b2
oam/knowledge base/polkit.md
Michele Cereda ff97f9c99c chore(kb): import notes from an old repository
2024-06-15 14:08:41 +02:00

1.8 KiB
Raw Blame History

Polkit

Provides an authorization API
. Those are intended to be used by privileged programs (A.K.A. mechanisms) that offer services to unprivileged programs (A.K.A. subjects).

Mechanisms typically treat subjects as untrusted.
For every request from subjects, mechanisms need to determine if the request is authorized or if they should refuse to service the subject; mechanisms can offload this decision to the polkit authority using the polkit APIs.

The system architecture of polkit is comprised of the Authority and an Authentication Agent per user session.
Actions are defined by applications. Vendors, sites and system administrators can control the authorization policy using Authorization Rules.

The Authentication Agent provided and started by the user's graphical environment

The Authority is implemented as a system daemon (polkitd)
The daemon itself runs as the polkitd system user to have little privilege.

Mechanisms, subjects and authentication agents communicate with the authority using the system message bus.

In addition to acting as an authority, polkit allows users to obtain temporary authorization through authenticating either an administrative user or the owner of the session the client belongs to.
This is useful for scenarios where mechanisms needs to verify that the operator of the system really is the user or an administrative user.

Sources