Polkit (formerly PolicyKit) / pkexec
Donate
- Default Passwords
- Passwords
- Account Management
- Login
- Login Spoofing
- Safely Use Root Commands
sysmaintAccount- System Maintenance Panel
- Unrestricted Admin Mode
- Protection against Physical Attacks
- User Account Isolation (developers)
user-sysmaint-split (developers)- Polkit (formerly PolicyKit) /
pkexec - privleap /
leaprun
Polkit (formerly PolicyKit) provides a centralized way to define and manage policy rules for privileged operations performed by users on Linux systems. This documentation explains its role, potential issues when disabled, and methods for managing it.
Introduction
[edit]
Documentation for this is incomplete. Contributions are happily considered! See this for potential alternatives.
Issues when disabling Polkit
[edit]- Reboot and poweroff from the GUI are no longer possible. [1]
- Removable media can no longer be mounted, as
udisksdtreats mounting removable media as a privileged operation. - Graphical user creation tools (e.g.
users-adminfromgnome-system-tools) no longer function properly. [2] - Flatpaks can no longer be installed user-locally. (
flatpak --user install) [3] - Network configuration via
nmtuior similar tools (likely including the network widget in the panel) will probably no longer be configurable, as NetworkManager treats network reconfiguration as a privileged operation. - System usually takes longer to boot, likely due to processes repeatedly failing to start Polkit.
Disabling Polkit
[edit]Disabling Polkit can be useful for security hardening inside browser-only VMs or other scenarios where a user is not expected to perform any privileged operations via Polkit.
How to disable Polkit as an opt-in hardening option? Undocumented.
Development
[edit]Polkit could be disabled using a systemd drop-in configuration snippet, modifying polkit.service by adding ConditionKernelCommandLine or a similar parameter to prevent Polkit from starting in user sessions (outside of the sysmaint session).
1 Open file.
Open file /usr/lib/systemd/system/polkit.service.d/99_sysmaint.conf in an editor with administrative ("root") rights.
1 Select your platform.
2 Notes.
- Sudoedit guidance: See Open File with Root Rights for details on why using
sudoeditimproves security and how to use it. - Editor requirement: Close Featherpad (or the chosen text editor) before running the
sudoeditcommand.
3 Open the file with root rights.
sudoedit /usr/lib/systemd/system/polkit.service.d/99_sysmaint.conf
2 Notes.
- Sudoedit guidance: See Open File with Root Rights for details on why using
sudoeditimproves security and how to use it. - Editor requirement: Close Featherpad (or the chosen text editor) before running the
sudoeditcommand. - Template requirement: When using Kicksecure-Qubes, this must be done inside the Template.
3 Open the file with root rights.
sudoedit /usr/lib/systemd/system/polkit.service.d/99_sysmaint.conf
4 Notes.
- Shut down Template: After applying this change, shut down the Template.
- Restart App Qubes: All App Qubes based on the Template need to be restarted if they were already running.
- Qubes persistence: See also Qubes Persistence
- General procedure: This is a general procedure required for Qubes and is unspecific to Kicksecure-Qubes.
2 Notes.
- Example only: This is just an example. Other tools could achieve the same goal.
- Troubleshooting and alternatives: If this example does not work for you, or if you are not using Kicksecure, please refer to Open File with Root Rights.
3 Open the file with root rights.
sudoedit /usr/lib/systemd/system/polkit.service.d/99_sysmaint.conf
2 Paste.
ConditionKernelCommandLine=boot-role=sysmaint
3 Save.
4 Reboot.
5 Done.
polkit.service should now only be running in sysmaint session.
Design Documentation
[edit]Forum Discussion
[edit]
Footnotes
[edit]- ↑ This is because systemd treats rebooting as a privileged operation.
- ↑
Probably because
accountsservicetreats user creation as a privileged operation. - ↑
Flatpak installation fails with:
Warning: Failed to get revokefs-fuse socket from system-helper: Failed to activate service 'org.freedesktop.Flatpak.SystemHelper': timed out (service_start_timeout=25000ms) Warning: Failed to activate service 'org.freedesktop.Flatpak.SystemHelper': timed out (service_start_timeout=25000ms) Warning: Failed to get revokefs-fuse socket from system-helper: Failed to activate service 'org.freedesktop.Flatpak.SystemHelper': timed out (service_start_timeout=25000ms) Warning: Failed to activate service 'org.freedesktop.Flatpak.SystemHelper': timed out (service_start_timeout=25000ms) Warning: Failed to get revokefs-fuse socket from system-helper: Failed to activate service 'org.freedesktop.Flatpak.SystemHelper': timed out (service_start_timeout=25000ms) Warning: Failed to activate service 'org.freedesktop.Flatpak.SystemHelper': timed out (service_start_timeout=25000ms) Warning: Failed to get revokefs-fuse socket from system-helper: Failed to activate service 'org.freedesktop.Flatpak.SystemHelper': timed out (service_start_timeout=25000ms) error: Failed to install org.gnome.Platform: Failed to activate service 'org.freedesktop.Flatpak.SystemHelper': timed out (service_start_timeout=25000ms)
A secure by default operating system with the latest security research in place.
At
Kicksecure we value freedom and trust, supporting Open Source and Freedom Software
2012-
2026 ENCRYPTED SUPPORT LLC
We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!