Home / server / Questions / 858836
Accepted
Aaron
Asked: 2017-07-01 17:31:10 +0800 CST

Proper method to disable polkit.service on CentOS 7

  • 772

Why?

My services are started via proper unit files or init scripts. I have no need for regular users to do anything special on my servers beyond su. I am specifically looking for a way to completely shut down polkit without it starting up on it's own when other services are restarted.

I foresee a problem explaining this to auditors in our PCI environment as well. We have to describe the purpose of each service. We do not have a legit use case for polkit in a PCI environment.

Additional note: I did not install polkit. These servers have a very minimal install around 670MB on / It was a systemd update that appears to have installed polkit and the spec apparently has dependencies to all systemd managed services. Once it is installed, I have to rebuild the machine to remove it, just like trying to remove nss once you install it. My concern is that if I force the unstall, it may have left files that will trip up systemd that assumes it is there.

What I have tried:

Create /etc/polkit-1/rules.d/99-deny-all.rules with

polkit.addRule(function(action, subject) {
    return polkit.Result.YES;
});

Then

systemctl daemon-reload && systemctl daemon-reexec

This does nothing, /usr/lib/polkit-1/polkitd --no-debug continues to start when other services under systemd are restarted.

[ Update ] As Alexander mentioned, restarting polkit will apply the settings to polkit itself and that is good, but I am looking for a way to tell polkit to not start that does not break other services.

[ update 2 ] This may actually prevent some services from re-starting correctly.

Mask or disable the service:

This causes other services to hang on startup and shutdown, waiting for polkit.

Edit /usr/share/dbus-1/sstem-services/org.freedesktop.PolicyKit1.service with:

[snip]
Exec=/bin/false
[snip]

Then

systemctl daemon-reload && systemctl daemon-reexec

This does nothing, /usr/lib/polkit-1/polkitd --no-debug continues to start when other services under systemd are restarted.

I have read the man pages a couple times. It's probably something really simple I am missing. My preference would be for a method that persists after systemd package updates.

The end goal I am looking for is for polkit.service to not start when other daemons are restarted, such as unbound, bind, dhcp, etc.

centos

3 Answers

  1. Best Answer

    Update

    Redhat have changed the RPM dependencies around Polkit. It can now be uninstalled from servers even if something had pulled it in during prior upgrades or installations.

    I am now able to uninstall Polkit from servers that other folks built as of CentOS 7.6.

    It is still required on Workstations and that appears to be appropriate for desktop usage.

    • 2

  2. After adding rules to /etc/polkit-1/rules.d/99-deny-all.rules you should restart polkit service by systemctl restart polkit. After this systemctl would execute any requests from non-priveleged user.

    • 1

  3. As the owners of the systems, we often do not care about the intent of the distro builder. Many would disagree, but I consider restrictions on starting/stopping/installing/removing components of the system, etc. trespassing on my property by the vendor, and do with my systems as I see fit.

    If you found yourself in a situation, where you see the removal of polkit as the most appropriate option, and the distro builders did not provide you with the "supported" method for that, you can search for polkitd and rename the file, then issue the service stop command.

    In my particular case, polkit has a tendency to pin one CPU core when I do not require that, and I removed it, using the above method. You are welcome and power to the users!

    • 0