pklocalauthority

pklocalauthority COMMAND [OPTIONS]

help
    Displays a help message, listing available commands and their basic usage.

query
    Queries the current authorization rules for a specific action or identity.
Options:
--action-id ACTION_ID: Specifies the unique identifier of the action to query (e.g., org.freedesktop.policykit.exec).
--identity IDENTITY: Specifies the identity (e.g., unix-user:root, unix-group:sudo) for which to query the rule.

set-rule
    Sets a new authorization rule or modifies an existing one. This command typically requires root privileges.
Options:
--action-id ACTION_ID: The action ID to apply the rule to.
--identity IDENTITY: The identity for which the rule applies.
--rule RULE_TYPE: Defines the authorization behavior (e.g., allow, auth_self, auth_admin, no).
--priority PRIORITY: An integer determining the rule's precedence (higher values take precedence).
--scope SCOPE: Defines the scope of the rule (e.g., session, system).

remove-rule
    Removes an existing authorization rule. This command typically requires root privileges.
Options:
--action-id ACTION_ID: The action ID of the rule to remove.
--identity IDENTITY: The identity associated with the rule to remove.
--priority PRIORITY: The priority of the rule to remove (if multiple rules exist for the same action/identity).
--scope SCOPE: The scope of the rule to remove.

reload
    Reloads the Polkit authorization policy database from disk, applying any changes made to policy files. This command typically requires root privileges.

version
    Displays the version information of the pklocalauthority utility.

pklocalauthority is a low-level command-line tool for managing the local authorization policy database used by Polkit (formerly PolicyKit). Polkit is an authorization framework that controls system-wide privileges for unprivileged processes interacting with privileged ones. While not typically used by end-users, pklocalauthority is invaluable for system administrators and scripts to programmatically query, set, or remove authorization rules. It interacts directly with Polkit's local authority backend, allowing fine-grained control over how actions are authorized on the system. Operations like setting or removing rules usually require superuser privileges.

Most operations, particularly set-rule, remove-rule, and reload, require superuser privileges. Direct manipulation of Polkit policies can lead to unintended security implications or system instability if not performed with care. It's generally recommended to understand Polkit's rule evaluation logic thoroughly before making changes. For most common use cases, higher-level tools or D-Bus APIs are preferred over direct pklocalauthority usage.

The --rule option for set-rule accepts several values to define authorization behavior:
allow: The action is always authorized without authentication.
auth_self: Authentication is required, and the user performing the action must authenticate themselves.
auth_admin: Authentication is required, and an administrator must authenticate.
auth_self_keep: Same as auth_self, but authentication is cached.
auth_admin_keep: Same as auth_admin, but authentication is cached.
no: The action is never authorized.

Identities are typically specified in the format type:value.
Common types include:
unix-user:username (e.g., unix-user:john)
unix-group:groupname (e.g., unix-group:wheel, unix-group:sudo)
session:session_id (refers to a specific login session)

Rules with a higher numerical --priority take precedence over rules with lower priority. This allows for more specific rules to override general ones. The --scope option defines the context in which the rule applies, such as session (for rules effective only during a user's session) or system (for rules affecting the entire system).

pklocalauthority is an integral part of the Polkit project, which began its life as PolicyKit, developed primarily by David Zeuthen. It emerged as a crucial authorization framework to provide a structured way for unprivileged applications to perform privileged operations, becoming a standard component in modern Linux distributions for system-wide privilege management and desktop environments.

polkit(8), pkaction(1), pkexec(1), pkttyagent(1)