Obtaining 'root' Permission When Required

There are two ways to create rules: INI-formatted .pkla files and javaScript-based .rules files.

• polkit 0.105 (and earlier) - *.pkla file
  • polkit 0.105 and earlier use *.pkla files to implement rules. This is the version of polkit used in all supported versions of Ubuntu and Debian.
  • Create a *.pkla file in /etc/polkit-1/localauthority/50-local.d to create a rule. For example,

    [Allow eauser to run some-script as root]
    Identity=unix-user:eauser
    Action=com.system-builder.edge.some-script
    ResultAny=yes
    

• polkit 0.106 (and later) - *.rules file
  • polkit 0.106 and later use *.rules files to implement rules. This is the version of polkit used in Edge OS.
  • Create an 80-sysbuilder-some-script.rules file in /etc/polkit-1/rules.d to check for the some-script action.id.

    polkit.addRule(function(action, subject) {
        if ((
              action.id == "com.system-builder.edge.some-script"
            )  && subject.user == "eauser") {
            return polkit.Result.YES;
        }
    });

Add pkexec to the command's shebang line.

#!/usr/bin/pkexec /bin/sh

Create a com.system-builder.edge.some-policy.policy file in /usr/share/polkit-1/actions/. For example:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
  "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
  "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
<policyconfig>

  <action id="com.system-builder.edge.pkexec.some-script">
    <description>allow running some-script with pkexec</description>
    <defaults>
      <allow_any>no</allow_any>
      <allow_inactive>no</allow_inactive>
      <allow_active>no</allow_active>
    </defaults>
    <annotate key="org.freedesktop.policykit.exec.path">/bin/sh</annotate>
    <annotate key="org.freedesktop.policykit.exec.argv1">/opt/edge-agent/some-script</annotate>
  </action>

</policyconfig>