nixpkgs/modules/security/polkit.nix

{ config, pkgs, ... }:

with pkgs.lib;

let
  pkWrapper = pkgs.stdenv.mkDerivation {
    name = "polkit-wrapper";
    helper = "libexec/polkit-1/polkit-agent-helper-1";
    buildInputs = [ pkgs.xorg.lndir ];

    builder = pkgs.writeScript "pkwrap-builder" ''
      source $stdenv/setup

      mkdir -pv $out
      lndir ${pkgs.polkit} $out

      rm $out/$helper
      ln -sv ${config.security.wrapperDir}/polkit-agent-helper-1 $out/$helper
      '';
  };
in

{

  config = {

    environment = {
      systemPackages = [ pkWrapper ];
      pathsToLink = [ "/share/polkit-1" "/etc/polkit-1" ];
      etc = singleton
        { source = "${config.system.path}/etc/polkit-1";
          target = "polkit-1";
        };
    };

    services.dbus.packages = [ pkWrapper ];

    security = {
      pam.services = [ { name = "polkit-1"; } ];
      setuidPrograms = [ "pkexec" ];

      setuidOwners = singleton
        { program = "polkit-agent-helper-1";
          owner = "root";
          group = "root";
          setuid = true;
          source = pkgs.polkit + "/" + pkWrapper.helper;
        };
    };

    system.activationScripts.polkit =
      ''
        mkdir -p /var/lib/polkit-1/localauthority
        chmod 700 /var/lib/polkit-1{/localauthority,}
      '';
  };

}
* A module for policy-kit (not enabled yet). svn path=/nixos/trunk/; revision=16738 2009-08-16 21:48:46 +00:00			`{ config, pkgs, ... }:`

			`with pkgs.lib;`

Enable polkit-1 Now both polkit-1 and old policykit are enabled. Packages that can use both will be migrated to new polkit-1, than old one can be disabled. svn path=/nixos/trunk/; revision=21776 2010-05-14 20:28:04 +00:00			`let`
			`pkWrapper = pkgs.stdenv.mkDerivation {`
			`name = "polkit-wrapper";`
Use polkit-agent-helper-1 from libexec/polkit-1 svn path=/nixos/trunk/; revision=21844 2010-05-18 16:46:32 +00:00			`helper = "libexec/polkit-1/polkit-agent-helper-1";`
Enable polkit-1 Now both polkit-1 and old policykit are enabled. Packages that can use both will be migrated to new polkit-1, than old one can be disabled. svn path=/nixos/trunk/; revision=21776 2010-05-14 20:28:04 +00:00			`buildInputs = [ pkgs.xorg.lndir ];`

			`builder = pkgs.writeScript "pkwrap-builder" ''`
			`source $stdenv/setup`

Use polkit-agent-helper-1 from libexec/polkit-1 svn path=/nixos/trunk/; revision=21844 2010-05-18 16:46:32 +00:00			`mkdir -pv $out`
Enable polkit-1 Now both polkit-1 and old policykit are enabled. Packages that can use both will be migrated to new polkit-1, than old one can be disabled. svn path=/nixos/trunk/; revision=21776 2010-05-14 20:28:04 +00:00			`lndir ${pkgs.polkit} $out`

Use polkit-agent-helper-1 from libexec/polkit-1 svn path=/nixos/trunk/; revision=21844 2010-05-18 16:46:32 +00:00			`rm $out/$helper`
			`ln -sv ${config.security.wrapperDir}/polkit-agent-helper-1 $out/$helper`
Enable polkit-1 Now both polkit-1 and old policykit are enabled. Packages that can use both will be migrated to new polkit-1, than old one can be disabled. svn path=/nixos/trunk/; revision=21776 2010-05-14 20:28:04 +00:00			`'';`
			`};`
			`in`

* A module for policy-kit (not enabled yet). svn path=/nixos/trunk/; revision=16738 2009-08-16 21:48:46 +00:00			`{`

			`config = {`

Enable polkit-1 Now both polkit-1 and old policykit are enabled. Packages that can use both will be migrated to new polkit-1, than old one can be disabled. svn path=/nixos/trunk/; revision=21776 2010-05-14 20:28:04 +00:00			`environment = {`
			`systemPackages = [ pkWrapper ];`
			`pathsToLink = [ "/share/polkit-1" "/etc/polkit-1" ];`
Some cleanups in the activation script: * Moved some scriptlets to the appropriate modules. * Put the scriptlet that sets the default path at the start, since it never makes sense not to have it there. It no longer needs to be declared as a dependency. * If a scriptlet has no dependencies, it can be denoted as a plain string (i.e., `noDepEntry' is not needed anymore). svn path=/nixos/trunk/; revision=23762 2010-09-13 15:41:38 +00:00			`etc = singleton`
			`{ source = "${config.system.path}/etc/polkit-1";`
Enable polkit-1 Now both polkit-1 and old policykit are enabled. Packages that can use both will be migrated to new polkit-1, than old one can be disabled. svn path=/nixos/trunk/; revision=21776 2010-05-14 20:28:04 +00:00			`target = "polkit-1";`
Some cleanups in the activation script: * Moved some scriptlets to the appropriate modules. * Put the scriptlet that sets the default path at the start, since it never makes sense not to have it there. It no longer needs to be declared as a dependency. * If a scriptlet has no dependencies, it can be denoted as a plain string (i.e., `noDepEntry' is not needed anymore). svn path=/nixos/trunk/; revision=23762 2010-09-13 15:41:38 +00:00			`};`
Enable polkit-1 Now both polkit-1 and old policykit are enabled. Packages that can use both will be migrated to new polkit-1, than old one can be disabled. svn path=/nixos/trunk/; revision=21776 2010-05-14 20:28:04 +00:00			`};`
* A module for policy-kit (not enabled yet). svn path=/nixos/trunk/; revision=16738 2009-08-16 21:48:46 +00:00
Enable polkit-1 Now both polkit-1 and old policykit are enabled. Packages that can use both will be migrated to new polkit-1, than old one can be disabled. svn path=/nixos/trunk/; revision=21776 2010-05-14 20:28:04 +00:00			`services.dbus.packages = [ pkWrapper ];`
* A module for policy-kit (not enabled yet). svn path=/nixos/trunk/; revision=16738 2009-08-16 21:48:46 +00:00
Enable polkit-1 Now both polkit-1 and old policykit are enabled. Packages that can use both will be migrated to new polkit-1, than old one can be disabled. svn path=/nixos/trunk/; revision=21776 2010-05-14 20:28:04 +00:00			`security = {`
			`pam.services = [ { name = "polkit-1"; } ];`
			`setuidPrograms = [ "pkexec" ];`
* A module for policy-kit (not enabled yet). svn path=/nixos/trunk/; revision=16738 2009-08-16 21:48:46 +00:00
Some cleanups in the activation script: * Moved some scriptlets to the appropriate modules. * Put the scriptlet that sets the default path at the start, since it never makes sense not to have it there. It no longer needs to be declared as a dependency. * If a scriptlet has no dependencies, it can be denoted as a plain string (i.e., `noDepEntry' is not needed anymore). svn path=/nixos/trunk/; revision=23762 2010-09-13 15:41:38 +00:00			`setuidOwners = singleton`
			`{ program = "polkit-agent-helper-1";`
Enable polkit-1 Now both polkit-1 and old policykit are enabled. Packages that can use both will be migrated to new polkit-1, than old one can be disabled. svn path=/nixos/trunk/; revision=21776 2010-05-14 20:28:04 +00:00			`owner = "root";`
			`group = "root";`
			`setuid = true;`
Use polkit-agent-helper-1 from libexec/polkit-1 svn path=/nixos/trunk/; revision=21844 2010-05-18 16:46:32 +00:00			`source = pkgs.polkit + "/" + pkWrapper.helper;`
Some cleanups in the activation script: * Moved some scriptlets to the appropriate modules. * Put the scriptlet that sets the default path at the start, since it never makes sense not to have it there. It no longer needs to be declared as a dependency. * If a scriptlet has no dependencies, it can be denoted as a plain string (i.e., `noDepEntry' is not needed anymore). svn path=/nixos/trunk/; revision=23762 2010-09-13 15:41:38 +00:00			`};`
Enable polkit-1 Now both polkit-1 and old policykit are enabled. Packages that can use both will be migrated to new polkit-1, than old one can be disabled. svn path=/nixos/trunk/; revision=21776 2010-05-14 20:28:04 +00:00			`};`
* A module for policy-kit (not enabled yet). svn path=/nixos/trunk/; revision=16738 2009-08-16 21:48:46 +00:00
Some cleanups in the activation script: * Moved some scriptlets to the appropriate modules. * Put the scriptlet that sets the default path at the start, since it never makes sense not to have it there. It no longer needs to be declared as a dependency. * If a scriptlet has no dependencies, it can be denoted as a plain string (i.e., `noDepEntry' is not needed anymore). svn path=/nixos/trunk/; revision=23762 2010-09-13 15:41:38 +00:00			`system.activationScripts.polkit =`
* A module for policy-kit (not enabled yet). svn path=/nixos/trunk/; revision=16738 2009-08-16 21:48:46 +00:00			`''`
Use polkit-agent-helper-1 from libexec/polkit-1 svn path=/nixos/trunk/; revision=21844 2010-05-18 16:46:32 +00:00			`mkdir -p /var/lib/polkit-1/localauthority`
			`chmod 700 /var/lib/polkit-1{/localauthority,}`
* A module for policy-kit (not enabled yet). svn path=/nixos/trunk/; revision=16738 2009-08-16 21:48:46 +00:00			`'';`
			`};`

* Added support for ConsoleKit. * Let ConsoleKit track the current logins instead of pam_console. Udev now takes care of setting the device permissions to the active user. This works much better, since pam_console wouldn't apply permissions to new (hot-plugged) devices. Also, the udev+ConsoleKit approach supports user switching. (We don't have that for X yet, but it already works for logins on virtual consoles: if you switch between different users on differents VCs with Alt+Fn, the device ownership will be changed automatically.) svn path=/nixos/trunk/; revision=16743 2009-08-17 01:16:38 +00:00			`}`