blob: cafa9f82d5e43aae621b78c9005f670348a27bbf (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
|
{ config, pkgs, ... }:
with pkgs.lib;
let
cfg = config.security.polkit;
in
{
options = {
security.polkit.enable = mkOption {
type = types.bool;
default = true;
description = "Whether to enable PolKit.";
};
security.polkit.permissions = mkOption {
type = types.lines;
default = "";
example =
''
[Disallow Users To Suspend]
Identity=unix-group:users
Action=org.freedesktop.upower.*
ResultAny=no
ResultInactive=no
ResultActive=no
[Allow Anybody To Eject Disks]
Identity=unix-user:*
Action=org.freedesktop.udisks.drive-eject
ResultAny=yes
ResultInactive=yes
ResultActive=yes
[Allow Alice To Mount Filesystems After Admin Authentication]
Identity=unix-user:alice
Action=org.freedesktop.udisks.filesystem-mount
ResultAny=auth_admin
ResultInactive=auth_admin
ResultActive=auth_admin
'';
description =
''
Allows the default permissions of privileged actions to be overridden.
'';
};
security.polkit.adminIdentities = mkOption {
type = types.str;
default = "unix-user:0;unix-group:wheel";
example = "";
description =
''
Specifies which users are considered “administrators”, for those
actions that require the user to authenticate as an
administrator (i.e. have an <literal>auth_admin</literal>
value). By default, this is the <literal>root</literal>
user and all users in the <literal>wheel</literal> group.
'';
};
};
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.polkit ];
# The polkit daemon reads action files
environment.pathsToLink = [ "/share/polkit-1/actions" ];
environment.etc =
[ # No idea what the "null backend" is, but it seems to need this.
{ source = "${pkgs.polkit}/etc/polkit-1/nullbackend.conf.d";
target = "polkit-1/nullbackend.conf.d";
}
# This file determines what users are considered
# "administrators".
{ source = pkgs.writeText "10-nixos.conf"
''
[Configuration]
AdminIdentities=${cfg.adminIdentities}
'';
target = "polkit-1/localauthority.conf.d/10-nixos.conf";
}
{ source = pkgs.writeText "org.nixos.pkla" cfg.permissions;
target = "polkit-1/localauthority/10-vendor.d/org.nixos.pkla";
}
];
services.dbus.packages = [ pkgs.polkit ];
security.pam.services.polkit-1 = {};
security.setuidPrograms = [ "pkexec" ];
security.setuidOwners = singleton
{ program = "polkit-agent-helper-1";
owner = "root";
group = "root";
setuid = true;
source = "${pkgs.polkit}/libexec/polkit-1/polkit-agent-helper-1";
};
system.activationScripts.polkit =
''
mkdir -p /var/lib/polkit-1/localauthority
chmod 700 /var/lib/polkit-1{/localauthority,}
# Force polkitd to be restarted so that it reloads its
# configuration.
${pkgs.procps}/bin/pkill -INT -u root -x polkitd
'';
};
}
|