{ "mode": "man", "parameter": "PKLOCALAUTHORITY", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/PKLOCALAUTHORITY/8/json", "generated": "2026-06-16T06:22:03Z", "sections": { "NAME": { "content": "pklocalauthority - PolicyKit Local Authority\n", "subsections": [] }, "DESCRIPTION": { "content": "The Local Authority is the default PolicyKit authority implementation. Configuration for the\nLocal Authority and information pertaining to authorization decisions are read from local\nfiles on the disk. One design goal of the Local Authority is to split configuration items\ninto separate files such that 3rd party packages and users won't conflict trying to edit the\nsame files. This policy also ensures smooth upgrades when distributing PolicyKit using a\npackage management system.\n\nFiles shipped with PolicyKit and 3rd party packages (e.g. under package manager control)\ntypically have comments (such as “DO NOT EDIT THIS FILE, it will be overwritten on update”)\ntelling the system administrator that changes will be overwritten on update.\n", "subsections": [] }, "ADMINISTRATOR AUTHENTICATION": { "content": "PolicyKit makes a distinction between user authentication (to make the user in front of the\nsystem prove he really is the user) and administrator authentication (to make the user in\nfront of the system prove he really is an administrator). Since various operating systems (or\neven flavors of the same operating system) has different ways of defining \"administrator\",\nthe Local Authority provides a way to specify what \"administrator authentication\" means.\n\nBy default, \"administrator authentication\" is defined as asking for the root password. Since\nsome systems, for usability reasons, don't have a root password and instead rely on a group\nof users being member of an administrative group that gives them super-user privileges, the\nLocal Authority can be configured to support this use-case as well.\n\nConfiguration for the Local Authority is read from files in the\n/etc/polkit-1/localauthority.conf.d directory. All files are read in lexigraphical order\n(using the C locale) meaning that later files can override earlier ones. The file\n50-localauthority.conf contains the settings provided by the OS vendor. Users and 3rd party\npackages can drop configuration files with a priority higher than 60 to change the defaults.\nThe configuration file format is simple. Each configuration file is a key file (also commonly\nknown as a ini file) with a single group called [Configuration]. Only a single key,\nAdminIdentities is read. The value of this key is a semi-colon separated list of identities\nthat can be used when administrator authentication is required. Users are specified by\nprefixing the user name with unix-user:, groups of users are specified by prefixing with\nunix-group:, and netgroups of users are specified with unix-netgroup:. See the section called\n“EXAMPLES” for an example of a configuration file.\n", "subsections": [] }, "DIRECTORY STRUCTURE": { "content": "The Local Authority reads files with .pkla extension from all directories located inside the\n/etc/polkit-1/localauthority and /var/lib/polkit-1/localauthority directories. By default,\nthe following sub-directories are installed.\n\n/etc/polkit-1/\n`-- localauthority\n|-- 10-vendor.d\n|-- 20-org.d\n|-- 30-site.d\n|-- 50-local.d\n`-- 90-mandatory.d\n\n\nand\n\n/var/lib/polkit-1/\n`-- localauthority\n|-- 10-vendor.d\n|-- 20-org.d\n|-- 30-site.d\n|-- 50-local.d\n`-- 90-mandatory.d\n\n\nThe /etc/polkit-1/localauthority hierarchy is inteded for local configuration and the\n/var/lib/polkit-1/localauthority is intended for 3rd party packages.\n\nEach .pkla file contains one or more authorization entries. If the underlying filesystem\nsupports file monitoring, the Local Authority will reload information whenever .pkla files\nare added, removed or changed.\n\nEach directory is intended for a specific audience\n\n10-vendor.d\nIntended for use by the OS vendor.\n\n20-org.d\nIntended for the organization deploying the OS.\n\n30-site.d\nIntended for the site deploying the system.\n\n50-local.d\nIntended for local usage.\n\n90-mandatory.d\nIntended for the organization deploying the OS.\n\nand new directories can be added/removed as needed.\n\nAs to regards to the content, each .pkla file is a standard key file and contains key/value\npairs in one or more groups with each group representing an authorization entry. A .pkla file\nMUST be named by using a scheme to ensure that the name is unique, e.g. reverse DNS notation\nor similar. For example, if the organization is “Acme Corp” needs to modify policy for the\nproduct “Frobnicator”, a name like com.acme.frobnicator.pkla would be suitable.\n", "subsections": [] }, "AUTHORIZATION ENTRY": { "content": "Each group in a .pkla file must have a name that is unique within the file it belongs to. The\nfollowing keys are are recognized:\n\nIdentity\nA semi-colon separated list of globs to match identities. Each glob should start with\nunix-user: or unix-group: to specify whether to match on a UNIX user name or a UNIX group\nname. Netgroups are supported with the unix-netgroup: prefix, but cannot support glob\nsyntax.\n\nAction\nA semi-colon separated list of globs to match action identifiers.\n\nResultActive\nThe result to return for subjects in an active local session that matches one or more of\nthe given identities. Allowed values are similar to what can be used in the defaults\nsection of .policy files used to define actions, e.g. yes, no, authself,\nauthselfkeep, authadmin and authadminkeep.\n\nResultInactive\nLike ResultActive but instead applies to subjects in inactive local sessions.\n\nResultAny\nLike ResultActive but instead applies to any subject.\n\nReturnValue\nA semi-colon separated list of key/value pairs (of the form key=value) that are added to\nthe details of authorization result on positive matches.\n\nAll keys specified above are required except that only at least one of ResultAny,\nResultInactive and ResultActive must be present. The ReturnValue key is optional.\n", "subsections": [] }, "EVALUATION ORDER": { "content": "When a Mechanism requests services from the Authority to check if a given Subject is\nauthorized for a given Action, the authorization entries discussed above are consulted using\nthe following algorithm.\n\nThe authorization entries from all .pkla files are ordered using the following rules. First\nall the basename of all sub-directories (e.g. 30-site.d) from both the\n/etc/polkit-1/localauthority and /var/lib/polkit-1/localauthority directories are enumerated\nand sorted (using the C locale). If a name exists in both /etc and /var, the one in /etc\ntakes precedence. Then all .pkla files are read in order from this list of sub-directories.\nFor each .pkla file, authorizations from each file are appended in order resulting in an\nordered list of authorization entries.\n\nFor example, given the following files\n\n/var/lib/polkit-1\n└── localauthority\n├── 10-vendor.d\n│ └── 10-desktop-policy.pkla\n├── 20-org.d\n├── 30-site.d\n├── 50-local.d\n├── 55-org.my.company.d\n│ └── 10-org.my.company.product.pkla\n└── 90-mandatory.d\n\n/etc/polkit-1\n└── localauthority\n├── 10-vendor.d\n│ └── 01-some-changes-from-a-subvendor.pkla\n├── 20-org.d\n├── 30-site.d\n├── 50-local.d\n├── 55-org.my.company.d\n│ └── 10-org.my.company.product.pkla\n└── 90-mandatory.d\n\n\nthe evaluation order of the .pkla files is:\n\n1. 10-desktop-policy.pkla\n\n2. 01-some-changes-from-a-subvendor.pkla\n\n3. 10-org.my.company.product.pkla (the /var one)\n\n4. 10-org.my.company.product.pkla (the /etc one)\n\nWhen the list of authorization entries has been calculated, the authorization check can be\nmade. First, the user of the Subject is determined and the groups that the user belongs are\nlooked up. For each group identity, the authorization entries are consulted in order. If the\nauthorization check matches the data from the authorization check, then the authorization\nresult from RequireAny, RequireInactive or RequireActive is used and ReturnValue is added to\nthe authorization result.\n\nFinally, the authorization entries are consulted using the user identity in the same manner.\n\nNote that processing continues even after a match. This allows for socalled “negative\nauthorizations”, see the section called “EXAMPLES” for further discussion.\n", "subsections": [] }, "EXAMPLES": { "content": "The following .conf file\n\n[Configuration]\nAdminIdentities=unix-group:staff\n\n\nspecifies that any user in the staff UNIX group can be used for authentication when\nadministrator authentication is needed. This file would typically be installed in the\n/etc/polkit-1/localauthority.conf.d directory and given the name 60-desktop-policy.conf to\nensure that it is evaluted after the 50-localauthority.conf file shipped with PolicyKit. If\nthe local administrator wants to override this (suppose 60-desktop-policy.conf was shipped as\npart of the OS) he can simply create a file 99-my-admin-configuration.conf with the following\ncontent\n\n[Configuration]\nAdminIdentities=unix-user:lisa;unix-user:marge\n\n\nto specify that only the users lisa and marge can authenticate when administrator\nauthentication is needed.\n\nThe following .pkla file grants authorization to all users in the staff group for actions\nmatching the glob com.example.awesomeproduct.* provided they are in an active session on the\nlocal console:\n\n[Normal Staff Permissions]\nIdentity=unix-group:staff\nAction=com.example.awesomeproduct.*\nResultAny=no\nResultInactive=no\nResultActive=yes\n\n\nIf the users homer and grimes are member of the staff group but policy requires that an\nadministrator needs to authenticate every time authorization for any action matching\ncom.example.awesomeproduct.* is required, one would add\n\n[Exclude Some Problematic Users]\nIdentity=unix-user:homer;unix-user:grimes\nAction=com.example.awesomeproduct.*\nResultAny=no\nResultInactive=no\nResultActive=authadmin\n\n\nand make sure this authorization entry is after the first one.\n", "subsections": [] }, "AUTHOR": { "content": "Written by David Zeuthen with a lot of help from many others.\n", "subsections": [] }, "BUGS": { "content": "Please send bug reports to either the distribution or the polkit-devel mailing list, see the\nlink http://lists.freedesktop.org/mailman/listinfo/polkit-devel on how to subscribe.\n", "subsections": [] }, "SEE ALSO": { "content": "polkit(8)\n\n\n\npolkit May 2009 PKLOCALAUTHORITY(8)", "subsections": [] } }, "summary": "pklocalauthority - PolicyKit Local Authority", "flags": [], "examples": [ "The following .conf file", "[Configuration]", "AdminIdentities=unix-group:staff", "specifies that any user in the staff UNIX group can be used for authentication when", "administrator authentication is needed. This file would typically be installed in the", "/etc/polkit-1/localauthority.conf.d directory and given the name 60-desktop-policy.conf to", "ensure that it is evaluted after the 50-localauthority.conf file shipped with PolicyKit. If", "the local administrator wants to override this (suppose 60-desktop-policy.conf was shipped as", "part of the OS) he can simply create a file 99-my-admin-configuration.conf with the following", "content", "[Configuration]", "AdminIdentities=unix-user:lisa;unix-user:marge", "to specify that only the users lisa and marge can authenticate when administrator", "authentication is needed.", "The following .pkla file grants authorization to all users in the staff group for actions", "matching the glob com.example.awesomeproduct.* provided they are in an active session on the", "local console:", "[Normal Staff Permissions]", "Identity=unix-group:staff", "Action=com.example.awesomeproduct.*", "ResultAny=no", "ResultInactive=no", "ResultActive=yes", "If the users homer and grimes are member of the staff group but policy requires that an", "administrator needs to authenticate every time authorization for any action matching", "com.example.awesomeproduct.* is required, one would add", "[Exclude Some Problematic Users]", "Identity=unix-user:homer;unix-user:grimes", "Action=com.example.awesomeproduct.*", "ResultAny=no", "ResultInactive=no", "ResultActive=authadmin", "and make sure this authorization entry is after the first one." ], "see_also": [ { "name": "polkit", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/polkit/8/json" } ] }