Home / ubuntu / Questions / 98006
Accepted
Scott Severance
Asked: 2012-01-24 22:02:58 +0800 CST

How do I prevent PolicyKit from asking for a password?

  • 772

For years, I've had the following in my sudoers file:

scott   ALL=NOPASSWD: ALL

For those who don't know, this prevents sudo and friends (gksudo, etc.) from asking for a password. However, over the years, more and more stuff that once used sudo has been switched to using PolicyKit.

I'm looking for an equivalent configuration for PolicyKit, such that it'll never ask me for my password.

For those who don't like my request, let me say this: I understand the reasons for the default configuration, and they are sound. I also understand the risks inherent in the configuration I want to make. Nevertheless, it's the way I want to set up my system. Those who don't fully understand the above shouldn't attempt what I'm attempting.

password

2 Answers

  1. Best Answer

    You can use the same technique Ubuntu's Live CD uses by tricking PolicyKit and suppressing ALL password prompts by substituting the action with a wildcard.

    DISCLAIMER: The following will suppress ALL password prompts globally for everyone belonging to the admin group, with the exception of the login screen. It is EXTREMELY dangerous and should NEVER be implemented because chances are YOU WILL END UP BREAKING YOUR SYSTEM!!

    Don't say you weren't warned!

    NOTE: If you are running 12.04 or later, substitute "admin" with "sudo"!

    Replace "username" with your actual user name:

    usermod -aG admin username

    Switch to root:

    sudo -i

    Create a new policy:

    gedit /var/lib/polkit-1/localauthority/50-local.d/disable-passwords.pkla

    Add the following:

    [Do anything you want]
Identity=unix-group:admin
Action=*
ResultActive=yes

    Save and exit. Then go try something that usually requires a password. :)

    NOTE: It doesn't matter what you use as your .pkla file name. You can name it anything you want.

    And last, this is the ONLY policy you'll need when it comes to suppressing password prompts because again, it does so globally.

    • 20

  2. You can create a .pkla, either an all in one or a couple based on action groups, doesn't really matter.

    For reference look in /usr/share/polkit-1/actions, open interested ones in a text editor to get action id's.

    As far as a .pkla or 2 I find the best place to put them is here, it will be protected from any updates 

    /var/lib/polkit-1/localauthority/50-local.d

    So for example here is my main one, named package-manager.pkla though it extends a bit further than just package management policy's

    [Install package file]
Identity=unix-group:admin
Action=org.debian.apt.install-file;org.debian.apt.update-cache;org.debian.apt.install-or-remove-packages;org.debian.apt.upgrade-packages
ResultActive=yes

[Install package synaptic]
Identity=unix-group:admin
Action=com.ubuntu.pkexec.synaptic
ResultActive=yes

[Change add repo]
Identity=unix-group:admin
Action=com.ubuntu.softwareproperties.applychanges;org.debian.apt.change-repository
ResultActive=yes

[usbcreator format]
Identity=unix-group:admin
Action=com.ubuntu.usbcreator.format
ResultActive=yes

[Install bootloader]
Identity=unix-group:admin
Action=com.ubuntu.usbcreator.bootloader
ResultActive=yes

[Add users]
Identity=unix-group:admin
Action=org.freedesktop.accounts.user-administration
ResultActive=yes

    Note that starting in 12.04 the group used for "admin" user should be changed to sudo, ie. 

    Identity=unix-group:sudo

    Also note that actions can be strung together per section, no spaces, use a ; in between id's

    • 10