nixpkgs/nixos/modules/security/polkit.nix

{ config, lib, pkgs, ... }:

with lib;

let

  cfg = config.security.polkit;

in

{

  options = {

    security.polkit.enable = mkOption {
      type = types.bool;
      default = true;
      description = "Whether to enable PolKit.";
    };

    security.polkit.extraConfig = mkOption {
      type = types.lines;
      default = "";
      example =
        ''
          /* Log authorization checks. */
          polkit.addRule(function(action, subject) {
            polkit.log("user " +  subject.user + " is attempting action " + action.id + " from PID " + subject.pid);
          });

          /* Allow any local user to do anything (dangerous!). */
          polkit.addRule(function(action, subject) {
            if (subject.local) return "yes";
          });
        '';
      description =
        ''
          Any polkit rules to be added to config (in JavaScript ;-). See:
          http://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html#polkit-rules
        '';
    };

    security.polkit.adminIdentities = mkOption {
      type = types.listOf types.str;
      default = [ "unix-user:0" "unix-group:wheel" ];
      example = [ "unix-user:alice" "unix-group:admin" ];
      description =
        ''
          Specifies which users are considered “administrators”, for those
          actions that require the user to authenticate as an
          administrator (i.e. have an <literal>auth_admin</literal>
          value).  By default, this is the <literal>root</literal>
          user and all users in the <literal>wheel</literal> group.
        '';
    };

  };


  config = mkIf cfg.enable {

    environment.systemPackages = [ pkgs.polkit.bin pkgs.polkit.out ];

    systemd.packages = [ pkgs.polkit.out ];

    systemd.services.polkit.restartTriggers = [ config.system.path ];
    systemd.services.polkit.unitConfig.X-StopIfChanged = false;

    # The polkit daemon reads action/rule files
    environment.pathsToLink = [ "/share/polkit-1" ];

    # PolKit rules for NixOS.
    environment.etc."polkit-1/rules.d/10-nixos.rules".text =
      ''
        polkit.addAdminRule(function(action, subject) {
          return [${concatStringsSep ", " (map (i: "\"${i}\"") cfg.adminIdentities)}];
        });

        ${cfg.extraConfig}
      ''; #TODO: validation on compilation (at least against typos)

    services.dbus.packages = [ pkgs.polkit.out ];

    security.pam.services.polkit-1 = {};

    security.setuidPrograms = [ "pkexec" ];

    security.setuidOwners = [
      { program = "polkit-agent-helper-1";
        owner = "root";
        group = "root";
        setuid = true;
        source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1";
      }
    ];

    system.activationScripts.polkit =
      ''
        # Probably no more needed, clean up
        rm -rf /var/lib/{polkit-1,PolicyKit}
      '';

    users.extraUsers.polkituser = {
      description = "PolKit daemon";
      uid = config.ids.uids.polkituser;
    };

  };

}
Rewrite ‘with pkgs.lib’ -> ‘with lib’ Using pkgs.lib on the spine of module evaluation is problematic because the pkgs argument depends on the result of module evaluation. To prevent an infinite recursion, pkgs and some of the modules are evaluated twice, which is inefficient. Using ‘with lib’ prevents this problem. 2014-04-14 16:26:48 +02:00			`{ config, lib, pkgs, ... }:`
* A module for policy-kit (not enabled yet). svn path=/nixos/trunk/; revision=16738 2009-08-16 21:48:46 +00:00
Rewrite ‘with pkgs.lib’ -> ‘with lib’ Using pkgs.lib on the spine of module evaluation is problematic because the pkgs argument depends on the result of module evaluation. To prevent an infinite recursion, pkgs and some of the modules are evaluated twice, which is inefficient. Using ‘with lib’ prevents this problem. 2014-04-14 16:26:48 +02:00			`with lib;`
* A module for policy-kit (not enabled yet). svn path=/nixos/trunk/; revision=16738 2009-08-16 21:48:46 +00:00
Enable polkit-1 Now both polkit-1 and old policykit are enabled. Packages that can use both will be migrated to new polkit-1, than old one can be disabled. svn path=/nixos/trunk/; revision=21776 2010-05-14 20:28:04 +00:00			`let`
* Add some options to allow setting PolKit permissions. svn path=/nixos/trunk/; revision=28729 2011-08-21 20:38:45 +00:00
			`cfg = config.security.polkit;`

Enable polkit-1 Now both polkit-1 and old policykit are enabled. Packages that can use both will be migrated to new polkit-1, than old one can be disabled. svn path=/nixos/trunk/; revision=21776 2010-05-14 20:28:04 +00:00			`in`

* A module for policy-kit (not enabled yet). svn path=/nixos/trunk/; revision=16738 2009-08-16 21:48:46 +00:00			`{`

* Add some options to allow setting PolKit permissions. svn path=/nixos/trunk/; revision=28729 2011-08-21 20:38:45 +00:00			`options = {`
* A module for policy-kit (not enabled yet). svn path=/nixos/trunk/; revision=16738 2009-08-16 21:48:46 +00:00
* Add some options to allow setting PolKit permissions. svn path=/nixos/trunk/; revision=28729 2011-08-21 20:38:45 +00:00			`security.polkit.enable = mkOption {`
Add lots of missing option types 2013-10-30 17:37:45 +01:00			`type = types.bool;`
* Add some options to allow setting PolKit permissions. svn path=/nixos/trunk/; revision=28729 2011-08-21 20:38:45 +00:00			`default = true;`
			`description = "Whether to enable PolKit.";`
Enable polkit-1 Now both polkit-1 and old policykit are enabled. Packages that can use both will be migrated to new polkit-1, than old one can be disabled. svn path=/nixos/trunk/; revision=21776 2010-05-14 20:28:04 +00:00			`};`
* A module for policy-kit (not enabled yet). svn path=/nixos/trunk/; revision=16738 2009-08-16 21:48:46 +00:00
polkit: major update 0.105 -> 0.112 - It now uses JavaScript for configuration (only), so I had to "convert" config for NetworkManager. - I tested suspend/restart/(un)mount on KDE/Xfce, Phreedom tested NetworkManager config conversion. 2013-11-09 16:29:18 +01:00			`security.polkit.extraConfig = mkOption {`
Add lots of missing option types 2013-10-30 17:37:45 +01:00			`type = types.lines;`
* Add some options to allow setting PolKit permissions. svn path=/nixos/trunk/; revision=28729 2011-08-21 20:38:45 +00:00			`default = "";`
			`example =`
			`''`
polkit: Add some examples 2013-11-18 18:01:07 +01:00			`/* Log authorization checks. */`
			`polkit.addRule(function(action, subject) {`
			`polkit.log("user " + subject.user + " is attempting action " + action.id + " from PID " + subject.pid);`
			`});`

			`/* Allow any local user to do anything (dangerous!). */`
			`polkit.addRule(function(action, subject) {`
			`if (subject.local) return "yes";`
			`});`
* Add some options to allow setting PolKit permissions. svn path=/nixos/trunk/; revision=28729 2011-08-21 20:38:45 +00:00			`'';`
			`description =`
			`''`
polkit: major update 0.105 -> 0.112 - It now uses JavaScript for configuration (only), so I had to "convert" config for NetworkManager. - I tested suspend/restart/(un)mount on KDE/Xfce, Phreedom tested NetworkManager config conversion. 2013-11-09 16:29:18 +01:00			`Any polkit rules to be added to config (in JavaScript ;-). See:`
			`http://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html#polkit-rules`
* Add some options to allow setting PolKit permissions. svn path=/nixos/trunk/; revision=28729 2011-08-21 20:38:45 +00:00			`'';`
Enable polkit-1 Now both polkit-1 and old policykit are enabled. Packages that can use both will be migrated to new polkit-1, than old one can be disabled. svn path=/nixos/trunk/; revision=21776 2010-05-14 20:28:04 +00:00			`};`
* A module for policy-kit (not enabled yet). svn path=/nixos/trunk/; revision=16738 2009-08-16 21:48:46 +00:00
* Add some options to allow setting PolKit permissions. svn path=/nixos/trunk/; revision=28729 2011-08-21 20:38:45 +00:00			`security.polkit.adminIdentities = mkOption {`
polkit: Fix authenticating as a wheel user In Javascript-based PolKit, "unix-user:0;unix-group:wheel" is not valid; it should be a list "unix-user:0", "unix-group:wheel". 2013-11-18 17:45:31 +01:00			`type = types.listOf types.str;`
			`default = [ "unix-user:0" "unix-group:wheel" ];`
			`example = [ "unix-user:alice" "unix-group:admin" ];`
* Add some options to allow setting PolKit permissions. svn path=/nixos/trunk/; revision=28729 2011-08-21 20:38:45 +00:00			`description =`
			`''`
			`Specifies which users are considered “administrators”, for those`
			`actions that require the user to authenticate as an`
Fix typos, especially those that end up in the NixOS manual 2013-08-10 21:07:13 +00:00			`administrator (i.e. have an <literal>auth_admin</literal>`
* Add some options to allow setting PolKit permissions. svn path=/nixos/trunk/; revision=28729 2011-08-21 20:38:45 +00:00			`value). By default, this is the <literal>root</literal>`
			`user and all users in the <literal>wheel</literal> group.`
			`'';`
			`};`

			`};`


			`config = mkIf cfg.enable {`

nixos systemPackages: rework default outputs - Now `pkg.outputUnspecified = true` but this attribute is missing in every output, so we can recognize whether the user chose or not. If (s)he didn't choose, we put `pkg.bin or pkg.out or pkg` into `systemPackages`. - `outputsToLink` is replaced by `extraOutputsToLink`. We add extra outputs regardless of whether the user chose anything. It's mainly meant for outputs with docs and debug symbols. - Note that as a result, some libraries will disappear from system path. 2016-01-28 11:24:18 +01:00			`environment.systemPackages = [ pkgs.polkit.bin pkgs.polkit.out ];`
* Add some options to allow setting PolKit permissions. svn path=/nixos/trunk/; revision=28729 2011-08-21 20:38:45 +00:00
nixos/polkit: fix systemd service after spiltting 2015-11-26 18:14:22 +01:00			`systemd.packages = [ pkgs.polkit.out ];`
polkit: major update 0.105 -> 0.112 - It now uses JavaScript for configuration (only), so I had to "convert" config for NetworkManager. - I tested suspend/restart/(un)mount on KDE/Xfce, Phreedom tested NetworkManager config conversion. 2013-11-09 16:29:18 +01:00
Restart polkit if its configuration may have changed 2014-04-19 14:29:02 +02:00			`systemd.services.polkit.restartTriggers = [ config.system.path ];`
			`systemd.services.polkit.unitConfig.X-StopIfChanged = false;`

polkit: major update 0.105 -> 0.112 - It now uses JavaScript for configuration (only), so I had to "convert" config for NetworkManager. - I tested suspend/restart/(un)mount on KDE/Xfce, Phreedom tested NetworkManager config conversion. 2013-11-09 16:29:18 +01:00			`# The polkit daemon reads action/rule files`
			`environment.pathsToLink = [ "/share/polkit-1" ];`

polkit: The rule file needs to end in .rules Otherwise it's ignored. 2013-11-18 17:33:20 +01:00			`# PolKit rules for NixOS.`
			`environment.etc."polkit-1/rules.d/10-nixos.rules".text =`
			`''`
			`polkit.addAdminRule(function(action, subject) {`
polkit: Fix authenticating as a wheel user In Javascript-based PolKit, "unix-user:0;unix-group:wheel" is not valid; it should be a list "unix-user:0", "unix-group:wheel". 2013-11-18 17:45:31 +01:00			`return [${concatStringsSep ", " (map (i: "\"${i}\"") cfg.adminIdentities)}];`
polkit: The rule file needs to end in .rules Otherwise it's ignored. 2013-11-18 17:33:20 +01:00			`});`

			`${cfg.extraConfig}`
			`''; #TODO: validation on compilation (at least against typos)`
* Add some options to allow setting PolKit permissions. svn path=/nixos/trunk/; revision=28729 2011-08-21 20:38:45 +00:00
nixos/polkit: Reference correct output of polkit 2015-10-16 19:28:55 +03:00			`services.dbus.packages = [ pkgs.polkit.out ];`
* Add some options to allow setting PolKit permissions. svn path=/nixos/trunk/; revision=28729 2011-08-21 20:38:45 +00:00
Turn security.pam.services into an attribute set That is, you can say security.pam.services.sshd = { options... }; instead of security.pam.services = [ { name = "sshd"; options... } ]; making it easier to override PAM settings from other modules. 2013-10-15 14:47:51 +02:00			`security.pam.services.polkit-1 = {};`
strip trailing whitespace; no functional change svn path=/nixos/trunk/; revision=29285 2011-09-14 18:20:50 +00:00
* Add some options to allow setting PolKit permissions. svn path=/nixos/trunk/; revision=28729 2011-08-21 20:38:45 +00:00			`security.setuidPrograms = [ "pkexec" ];`

polkit: major update 0.105 -> 0.112 - It now uses JavaScript for configuration (only), so I had to "convert" config for NetworkManager. - I tested suspend/restart/(un)mount on KDE/Xfce, Phreedom tested NetworkManager config conversion. 2013-11-09 16:29:18 +01:00			`security.setuidOwners = [`
* Add some options to allow setting PolKit permissions. svn path=/nixos/trunk/; revision=28729 2011-08-21 20:38:45 +00:00			`{ program = "polkit-agent-helper-1";`
			`owner = "root";`
			`group = "root";`
			`setuid = true;`
polkit: split dev and bin outputs 2015-10-14 06:03:25 +02:00			`source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1";`
polkit: major update 0.105 -> 0.112 - It now uses JavaScript for configuration (only), so I had to "convert" config for NetworkManager. - I tested suspend/restart/(un)mount on KDE/Xfce, Phreedom tested NetworkManager config conversion. 2013-11-09 16:29:18 +01:00			`}`
			`];`
* Add some options to allow setting PolKit permissions. svn path=/nixos/trunk/; revision=28729 2011-08-21 20:38:45 +00:00
Some cleanups in the activation script: * Moved some scriptlets to the appropriate modules. * Put the scriptlet that sets the default path at the start, since it never makes sense not to have it there. It no longer needs to be declared as a dependency. * If a scriptlet has no dependencies, it can be denoted as a plain string (i.e., `noDepEntry' is not needed anymore). svn path=/nixos/trunk/; revision=23762 2010-09-13 15:41:38 +00:00			`system.activationScripts.polkit =`
* A module for policy-kit (not enabled yet). svn path=/nixos/trunk/; revision=16738 2009-08-16 21:48:46 +00:00			`''`
polkit: major update 0.105 -> 0.112 - It now uses JavaScript for configuration (only), so I had to "convert" config for NetworkManager. - I tested suspend/restart/(un)mount on KDE/Xfce, Phreedom tested NetworkManager config conversion. 2013-11-09 16:29:18 +01:00			`# Probably no more needed, clean up`
			`rm -rf /var/lib/{polkit-1,PolicyKit}`
* A module for policy-kit (not enabled yet). svn path=/nixos/trunk/; revision=16738 2009-08-16 21:48:46 +00:00			`'';`
strip trailing whitespace; no functional change svn path=/nixos/trunk/; revision=29285 2011-09-14 18:20:50 +00:00
polkit: major update 0.105 -> 0.112 - It now uses JavaScript for configuration (only), so I had to "convert" config for NetworkManager. - I tested suspend/restart/(un)mount on KDE/Xfce, Phreedom tested NetworkManager config conversion. 2013-11-09 16:29:18 +01:00			`users.extraUsers.polkituser = {`
			`description = "PolKit daemon";`
			`uid = config.ids.uids.polkituser;`
			`};`

* A module for policy-kit (not enabled yet). svn path=/nixos/trunk/; revision=16738 2009-08-16 21:48:46 +00:00			`};`

* Added support for ConsoleKit. * Let ConsoleKit track the current logins instead of pam_console. Udev now takes care of setting the device permissions to the active user. This works much better, since pam_console wouldn't apply permissions to new (hot-plugged) devices. Also, the udev+ConsoleKit approach supports user switching. (We don't have that for X yet, but it already works for logins on virtual consoles: if you switch between different users on differents VCs with Alt+Fn, the device ownership will be changed automatically.) svn path=/nixos/trunk/; revision=16743 2009-08-17 01:16:38 +00:00			`}`
polkit: major update 0.105 -> 0.112 - It now uses JavaScript for configuration (only), so I had to "convert" config for NetworkManager. - I tested suspend/restart/(un)mount on KDE/Xfce, Phreedom tested NetworkManager config conversion. 2013-11-09 16:29:18 +01:00