Polkit (formerly PolicyKit) / pkexec
Donate
- Default Passwords
- Passwords
- Account Management
- Login
- Login Spoofing
- Safely Use Root Commands
sysmaintAccount- System Maintenance Panel
- Unrestricted Admin Mode
- Protection against Physical Attacks
- User Account Isolation (developers)
user-sysmaint-split (developers)- Polkit (formerly PolicyKit) /
pkexec - privleap /
leaprun
Polkit (formerly PolicyKit) provides a centralized way to define and manage policy rules for privileged operations performed by users on Linux systems. This documentation explains its role, potential issues when disabled, and methods for managing it.
Introduction
[edit]
Documentation for this is incomplete. Contributions are happily considered! See this for potential alternatives.
Issues when disabling Polkit
[edit]- Reboot and poweroff from the GUI are no longer possible. [1]
- Removable media can no longer be mounted, as
udisksdtreats removable media mounting as a privileged operation. - Graphical user creation tools (e.g.
users-adminfromgnome-system-tools) no longer function properly. [2] - Flatpaks can no longer be installed user-locally. (
flatpak --user install) [3] - Network configuration via
nmtuior similar tools (likely including the network widget in the panel) will probably no longer be configurable, as NetworkManager treats network reconfiguration as a privileged operation. - System usually takes longer to boot, likely due to processes repeatedly failing to start polkit.
Disabling Polkit
[edit]Disabling Polkit can be useful for security hardening inside browser-only VMs or other scenarios where a user is not expected to perform any privileged operations via polkit.
How to disable polkit as an opt-in hardening option? Undocumented.
Development
[edit]Polkit could be disabled using a systemd drop-in configuration snippet, modifying polkit.service by adding ConditionKernelCommandLine or a similar parameter to prevent polkit from starting in user sessions (outside of the sysmaint session).
Open file /usr/lib/systemd/system/polkit.service.d/99_sysmaint.conf in an editor with root rights.
Select your platform.
See Open File with Root Rights for detailed instructions on why using sudoedit improves security and how to use it.
Note: Mousepad (or the chosen text editor) must be closed before running the sudoedit command.
sudoedit /usr/lib/systemd/system/polkit.service.d/99_sysmaint.conf
Notes:
- When using Kicksecure-Qubes, this must be done inside the Template.
sudoedit /usr/lib/systemd/system/polkit.service.d/99_sysmaint.conf
- After applying this change, shut down the Template.
- All App Qubes based on the Template need to be restarted if they were already running.
- This is a general procedure required for Qubes and is unspecific to Kicksecure-Qubes.
Notes:
- This is just an example. Other tools could achieve the same goal.
- If this example does not work for you, or if you are not using Kicksecure, please refer to Open File with Root Rights.
sudoedit /usr/lib/systemd/system/polkit.service.d/99_sysmaint.conf
Paste.
ConditionKernelCommandLine=boot-role=sysmaint
Save.
Reboot.
Done.
polkit.service should now only be running in sysmaint session.
Design Documentation
[edit]Forum Discussion
[edit]
Footnotes
[edit]- ↑ This is because systemd treats rebooting as a privileged operation.
- ↑
Probably because
accountsservicetreats user creation as a privileged operation. - ↑
Flatpak installation errors out:
Warning: Failed to get revokefs-fuse socket from system-helper: Failed to activate service 'org.freedesktop.Flatpak.SystemHelper': timed out (service_start_timeout=25000ms) Warning: Failed to activate service 'org.freedesktop.Flatpak.SystemHelper': timed out (service_start_timeout=25000ms) Warning: Failed to get revokefs-fuse socket from system-helper: Failed to activate service 'org.freedesktop.Flatpak.SystemHelper': timed out (service_start_timeout=25000ms) Warning: Failed to activate service 'org.freedesktop.Flatpak.SystemHelper': timed out (service_start_timeout=25000ms) Warning: Failed to get revokefs-fuse socket from system-helper: Failed to activate service 'org.freedesktop.Flatpak.SystemHelper': timed out (service_start_timeout=25000ms) Warning: Failed to activate service 'org.freedesktop.Flatpak.SystemHelper': timed out (service_start_timeout=25000ms) Warning: Failed to get revokefs-fuse socket from system-helper: Failed to activate service 'org.freedesktop.Flatpak.SystemHelper': timed out (service_start_timeout=25000ms) error: Failed to install org.gnome.Platform: Failed to activate service 'org.freedesktop.Flatpak.SystemHelper': timed out (service_start_timeout=25000ms)
A secure by default operating system with the latest security research in place.
At
Kicksecure we value freedom and trust, supporting Open Source and Freedom Software
2012-
2025 ENCRYPTED SUPPORT LLC
We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!