{
    "mode": "info",
    "parameter": "pklocalauthority",
    "section": "",
    "url": "https://www.chedong.com/phpMan.php/info/pklocalauthority/json",
    "generated": "2026-07-05T13:04:33Z",
    "sections": {
        "NAME": {
            "content": "pklocalauthority - PolicyKit Local Authority\n",
            "subsections": []
        },
        "DESCRIPTION": {
            "content": "The Local Authority is the default PolicyKit authority implementation.\nConfiguration for the Local Authority and information pertaining to\nauthorization decisions are read from local files on the disk. One\ndesign goal of the Local Authority is to split configuration items into\nseparate files such that 3rd party packages and users won't conflict\ntrying to edit the same files. This policy also ensures smooth upgrades\nwhen distributing PolicyKit using a package management system.\n\nFiles shipped with PolicyKit and 3rd party packages (e.g. under package\nmanager control) typically have comments (such as \"DO NOT EDIT THIS\nFILE, it will be overwritten on update\") telling the system\nadministrator that changes will be overwritten on update.\n",
            "subsections": []
        },
        "ADMINISTRATOR AUTHENTICATION": {
            "content": "PolicyKit makes a distinction between user authentication (to make the\nuser in front of the system prove he really is the user) and\nadministrator authentication (to make the user in front of the system\nprove he really is an administrator). Since various operating systems\n(or even flavors of the same operating system) has different ways of\ndefining \"administrator\", the Local Authority provides a way to specify\nwhat \"administrator authentication\" means.\n\nBy default, \"administrator authentication\" is defined as asking for the\nroot password. Since some systems, for usability reasons, don't have a\nroot password and instead rely on a group of users being member of an\nadministrative group that gives them super-user privileges, the Local\nAuthority can be configured to support this use-case as well.\n\nConfiguration for the Local Authority is read from files in the\n/etc/polkit-1/localauthority.conf.d directory. All files are read in\nlexigraphical order (using the C locale) meaning that later files can\noverride earlier ones. The file 50-localauthority.conf contains the\nsettings provided by the OS vendor. Users and 3rd party packages can\ndrop configuration files with a priority higher than 60 to change the\ndefaults. The configuration file format is simple. Each configuration\nfile is a key file (also commonly known as a ini file) with a single\ngroup called [Configuration]. Only a single key, AdminIdentities is\nread. The value of this key is a semi-colon separated list of\nidentities that can be used when administrator authentication is\nrequired. Users are specified by prefixing the user name with\nunix-user:, groups of users are specified by prefixing with\nunix-group:, and netgroups of users are specified with unix-netgroup:.\nSee the section called \"EXAMPLES\" for an example of a configuration\nfile.\n",
            "subsections": []
        },
        "DIRECTORY STRUCTURE": {
            "content": "The Local Authority reads files with .pkla extension from all\ndirectories located inside the /etc/polkit-1/localauthority and\n/var/lib/polkit-1/localauthority directories. By default, the following\nsub-directories are installed.\n\n/etc/polkit-1/\n`-- localauthority\n|-- 10-vendor.d\n|-- 20-org.d\n|-- 30-site.d\n|-- 50-local.d\n`-- 90-mandatory.d\n\nand\n\n/var/lib/polkit-1/\n`-- localauthority\n|-- 10-vendor.d\n|-- 20-org.d\n|-- 30-site.d\n|-- 50-local.d\n`-- 90-mandatory.d\n\nThe /etc/polkit-1/localauthority hierarchy is inteded for local\nconfiguration and the /var/lib/polkit-1/localauthority is intended for\n3rd party packages.\n\nEach .pkla file contains one or more authorization entries. If the\nunderlying filesystem supports file monitoring, the Local Authority\nwill reload information whenever .pkla files are added, removed or\nchanged.\n\nEach directory is intended for a specific audience\n\n10-vendor.d\nIntended for use by the OS vendor.\n\n20-org.d\nIntended for the organization deploying the OS.\n\n30-site.d\nIntended for the site deploying the system.\n\n50-local.d\nIntended for local usage.\n\n90-mandatory.d\nIntended for the organization deploying the OS.\n\nand new directories can be added/removed as needed.\n\nAs to regards to the content, each .pkla file is a standard key file\nand contains key/value pairs in one or more groups with each group\nrepresenting an authorization entry. A .pkla file MUST be named by\nusing a scheme to ensure that the name is unique, e.g. reverse DNS\nnotation or similar. For example, if the organization is \"Acme Corp\"\nneeds to modify policy for the product \"Frobnicator\", a name like\ncom.acme.frobnicator.pkla would be suitable.\n",
            "subsections": []
        },
        "AUTHORIZATION ENTRY": {
            "content": "Each group in a .pkla file must have a name that is unique within the\nfile it belongs to. The following keys are are recognized:\n\nIdentity\nA semi-colon separated list of globs to match identities. Each glob\nshould start with unix-user: or unix-group: to specify whether to\nmatch on a UNIX user name or a UNIX group name. Netgroups are\nsupported with the unix-netgroup: prefix, but cannot support glob\nsyntax.\n\nAction\nA semi-colon separated list of globs to match action identifiers.\n\nResultActive\nThe result to return for subjects in an active local session that\nmatches one or more of the given identities. Allowed values are\nsimilar to what can be used in the defaults section of .policy\nfiles used to define actions, e.g.  yes, no, authself,\nauthselfkeep, authadmin and authadminkeep.\n\nResultInactive\nLike ResultActive but instead applies to subjects in inactive local\nsessions.\n\nResultAny\nLike ResultActive but instead applies to any subject.\n\nReturnValue\nA semi-colon separated list of key/value pairs (of the form\nkey=value) that are added to the details of authorization result on\npositive matches.\n\nAll keys specified above are required except that only at least one of\nResultAny, ResultInactive and ResultActive must be present. The\nReturnValue key is optional.\n",
            "subsections": []
        },
        "EVALUATION ORDER": {
            "content": "When a Mechanism requests services from the Authority to check if a\ngiven Subject is authorized for a given Action, the authorization\nentries discussed above are consulted using the following algorithm.\n\nThe authorization entries from all .pkla files are ordered using the\nfollowing rules. First all the basename of all sub-directories (e.g.\n30-site.d) from both the /etc/polkit-1/localauthority and\n/var/lib/polkit-1/localauthority directories are enumerated and sorted\n(using the C locale). If a name exists in both /etc and /var, the one\nin /etc takes precedence. Then all .pkla files are read in order from\nthis list of sub-directories. For each .pkla file, authorizations from\neach file are appended in order resulting in an ordered list of\nauthorization entries.\n\nFor example, given the following files\n\n/var/lib/polkit-1\nlocalauthority\n10-vendor.d\n|    10-desktop-policy.pkla\n20-org.d\n30-site.d\n50-local.d\n55-org.my.company.d\n|    10-org.my.company.product.pkla\n90-mandatory.d\n\n/etc/polkit-1\nlocalauthority\n10-vendor.d\n|    01-some-changes-from-a-subvendor.pkla\n20-org.d\n30-site.d\n50-local.d\n55-org.my.company.d\n|    10-org.my.company.product.pkla\n90-mandatory.d\n\nthe evaluation order of the .pkla files is:\n\n1. 10-desktop-policy.pkla\n\n2. 01-some-changes-from-a-subvendor.pkla\n\n3. 10-org.my.company.product.pkla (the /var one)\n\n4. 10-org.my.company.product.pkla (the /etc one)\n\nWhen the list of authorization entries has been calculated, the\nauthorization check can be made. First, the user of the Subject is\ndetermined and the groups that the user belongs are looked up. For each\ngroup identity, the authorization entries are consulted in order. If\nthe authorization check matches the data from the authorization check,\nthen the authorization result from RequireAny, RequireInactive or\nRequireActive is used and ReturnValue is added to the authorization\nresult.\n\nFinally, the authorization entries are consulted using the user\nidentity in the same manner.\n\nNote that processing continues even after a match. This allows for\nsocalled \"negative authorizations\", see the section called \"EXAMPLES\"\nfor further discussion.\n",
            "subsections": []
        },
        "EXAMPLES": {
            "content": "The following .conf file\n\n[Configuration]\nAdminIdentities=unix-group:staff\n\nspecifies that any user in the staff UNIX group can be used for\nauthentication when administrator authentication is needed. This file\nwould typically be installed in the /etc/polkit-1/localauthority.conf.d\ndirectory and given the name 60-desktop-policy.conf to ensure that it\nis evaluted after the 50-localauthority.conf file shipped with\nPolicyKit. If the local administrator wants to override this (suppose\n60-desktop-policy.conf was shipped as part of the OS) he can simply\ncreate a file 99-my-admin-configuration.conf with the following content\n\n[Configuration]\nAdminIdentities=unix-user:lisa;unix-user:marge\n\nto specify that only the users lisa and marge can authenticate when\nadministrator authentication is needed.\n\nThe following .pkla file grants authorization to all users in the staff\ngroup for actions matching the glob com.example.awesomeproduct.*\nprovided they are in an active session on the local console:\n\n[Normal Staff Permissions]\nIdentity=unix-group:staff\nAction=com.example.awesomeproduct.*\nResultAny=no\nResultInactive=no\nResultActive=yes\n\nIf the users homer and grimes are member of the staff group but policy\nrequires that an administrator needs to authenticate every time\nauthorization for any action matching com.example.awesomeproduct.*  is\nrequired, one would add\n\n[Exclude Some Problematic Users]\nIdentity=unix-user:homer;unix-user:grimes\nAction=com.example.awesomeproduct.*\nResultAny=no\nResultInactive=no\nResultActive=authadmin\n\nand make sure this authorization entry is after the first one.\n",
            "subsections": []
        },
        "AUTHOR": {
            "content": "Written by David Zeuthen <davidz@redhat.com> with a lot of help from\nmany others.\n",
            "subsections": []
        },
        "BUGS": {
            "content": "Please send bug reports to either the distribution or the polkit-devel\nmailing list, see the link\nhttp://lists.freedesktop.org/mailman/listinfo/polkit-devel on how to\nsubscribe.\n",
            "subsections": []
        },
        "SEE ALSO": {
            "content": "polkit(8)\n\npolkit                             May 2009                PKLOCALAUTHORITY(8)",
            "subsections": []
        }
    },
    "summary": "pklocalauthority - PolicyKit Local Authority",
    "flags": [],
    "examples": [
        "The following .conf file",
        "[Configuration]",
        "AdminIdentities=unix-group:staff",
        "specifies that any user in the staff UNIX group can be used for",
        "authentication when administrator authentication is needed. This file",
        "would typically be installed in the /etc/polkit-1/localauthority.conf.d",
        "directory and given the name 60-desktop-policy.conf to ensure that it",
        "is evaluted after the 50-localauthority.conf file shipped with",
        "PolicyKit. If the local administrator wants to override this (suppose",
        "60-desktop-policy.conf was shipped as part of the OS) he can simply",
        "create a file 99-my-admin-configuration.conf with the following content",
        "[Configuration]",
        "AdminIdentities=unix-user:lisa;unix-user:marge",
        "to specify that only the users lisa and marge can authenticate when",
        "administrator authentication is needed.",
        "The following .pkla file grants authorization to all users in the staff",
        "group for actions matching the glob com.example.awesomeproduct.*",
        "provided they are in an active session on the local console:",
        "[Normal Staff Permissions]",
        "Identity=unix-group:staff",
        "Action=com.example.awesomeproduct.*",
        "ResultAny=no",
        "ResultInactive=no",
        "ResultActive=yes",
        "If the users homer and grimes are member of the staff group but policy",
        "requires that an administrator needs to authenticate every time",
        "authorization for any action matching com.example.awesomeproduct.*  is",
        "required, one would add",
        "[Exclude Some Problematic Users]",
        "Identity=unix-user:homer;unix-user:grimes",
        "Action=com.example.awesomeproduct.*",
        "ResultAny=no",
        "ResultInactive=no",
        "ResultActive=authadmin",
        "and make sure this authorization entry is after the first one."
    ],
    "see_also": [
        {
            "name": "polkit",
            "section": "8",
            "url": "https://www.chedong.com/phpMan.php/man/polkit/8/json"
        }
    ]
}