36

For years, I've had the following in my sudoers file:

scott   ALL=NOPASSWD: ALL

For those who don't know, this prevents sudo and friends (gksudo, etc.) from asking for a password. However, over the years, more and more stuff that once used sudo has been switched to using PolicyKit.

I'm looking for an equivalent configuration for PolicyKit, such that it'll never ask me for my password.

For those who don't like my request, let me say this: I understand the reasons for the default configuration, and they are sound. I also understand the risks inherent in the configuration I want to make. Nevertheless, it's the way I want to set up my system. Those who don't fully understand the above shouldn't attempt what I'm attempting.

Scott Severance
  • 14,056

2 Answers2

23

You can use the same technique Ubuntu's Live CD uses by tricking PolicyKit and suppressing ALL password prompts by substituting the action with a wildcard.

DISCLAIMER: The following will suppress ALL password prompts globally for everyone belonging to the admin group, with the exception of the login screen. It is EXTREMELY dangerous and should NEVER be implemented because chances are YOU WILL END UP BREAKING YOUR SYSTEM!!

Don't say you weren't warned!

NOTE: If you are running 12.04 or later, substitute "admin" with "sudo"!

Replace "username" with your actual user name:

usermod -aG admin username

Switch to root:

sudo -i

Create a new policy:

gedit /var/lib/polkit-1/localauthority/50-local.d/disable-passwords.pkla

Add the following:

[Do anything you want]
Identity=unix-group:admin
Action=*
ResultActive=yes

Save and exit. Then go try something that usually requires a password. :)

NOTE: It doesn't matter what you use as your .pkla file name. You can name it anything you want.

And last, this is the ONLY policy you'll need when it comes to suppressing password prompts because again, it does so globally.

user541686
  • 4,167
user55572
  • 254
  • 2
  • 2
  • This also works on Fedora when you substitute the admin group with wheel. Thanks! – Kenny Rasschaert Mar 04 '14 at 12:40
  • 10
    Could someone describe how exactly this will "break" the system? – user541686 Aug 14 '14 at 20:30
  • 11
    Yes, please. How will this break the system? Not this! Something stupid that you do after this will break the system, but not this! This will allow you to do anything on the host without password. If you do something stupid, you'll break the system. If you have to put the password and you do something stupid, you will break the system. This, per-se, just makes it a bit easier to do something stupid. – blueFast Jun 25 '15 at 07:27
  • 1
    @jeckyll2hide Read the NOTE - it explains why the OP chose [Install package file]. Either you disagree with this and the NOTE requires a similar edit, or your edit is invalid and should be rolled back. – bcbc Jun 25 '15 at 19:40
  • @bcbc: not sure about that: first, that worked for me; second: what must match the list of policies is the Action=* field (in this case * which means any action), but not the title of the text which, afaik is free text. – blueFast Jun 25 '15 at 19:48
  • @jeckyll2hide right, if it works as per your edit, then the NOTE is wrong and should be removed. Leaving it in doesn't make sense. – bcbc Jun 25 '15 at 23:17
  • what if you just want to suppress for a particular user? and not necessarily admins – prusswan Oct 11 '16 at 09:22
  • 4
    @prusswan you can use Identity=unix-user:scott to only allow the user "scott" to do the action. Also if you want to just allow certain actions, you can grep /var/log/auth.log and polkitd will output the full name of the polkit you were trying when you were prompted for your password. cat /var/log/auth.log | grep polkitd will give you a pretty quick list of them – Scott Mar 03 '17 at 21:20
  • For some reason created pkla file is not working on my system. I have polkit 0.105 and 18.04. How to debug what is wrong? – Suncatcher May 06 '18 at 09:05
  • 3
    "It is EXTREMELY dangerous" ... then maybe don't make those users admins! – y o Jan 31 '20 at 00:53
  • Is it somehow possible to request for a confirmation without having to type the password? Like on Windows? I could only find the docs for pklocalauthority (8) and polkit (8). I miss something like confirm :-(. – blaimi Nov 07 '23 at 22:47
11

You can create a .pkla, either an all in one or a couple based on action groups, doesn't really matter.

For reference look in /usr/share/polkit-1/actions, open interested ones in a text editor to get action id's.

As far as a .pkla or 2 I find the best place to put them is here, it will be protected from any updates 

/var/lib/polkit-1/localauthority/50-local.d

So for example here is my main one, named package-manager.pkla though it extends a bit further than just package management policy's

[Install package file]
Identity=unix-group:admin
Action=org.debian.apt.install-file;org.debian.apt.update-cache;org.debian.apt.install-or-remove-packages;org.debian.apt.upgrade-packages
ResultActive=yes

[Install package synaptic]
Identity=unix-group:admin
Action=com.ubuntu.pkexec.synaptic
ResultActive=yes

[Change add repo]
Identity=unix-group:admin
Action=com.ubuntu.softwareproperties.applychanges;org.debian.apt.change-repository
ResultActive=yes

[usbcreator format]
Identity=unix-group:admin
Action=com.ubuntu.usbcreator.format
ResultActive=yes

[Install bootloader]
Identity=unix-group:admin
Action=com.ubuntu.usbcreator.bootloader
ResultActive=yes

[Add users]
Identity=unix-group:admin
Action=org.freedesktop.accounts.user-administration
ResultActive=yes

Note that starting in 12.04 the group used for "admin" user should be changed to sudo, ie. 

Identity=unix-group:sudo

Also note that actions can be strung together per section, no spaces, use a ; in between id's

doug
  • 17,026
  • 3
    It looks like you're making settings for each program individually. That seems rather tedious, especially if I later install some other program that wants to use PolicyKit. I'm looking for a way to make a global configuration change that affects everything. – Scott Severance Jan 24 '12 at 16:31
  • 1
    Have never seen any way to affect 'globally', don't believe that's the way policykit works, there is an policy set per action id – doug Jan 24 '12 at 18:48