[systemd-devel] Work on adding polkit support to systemd1

Stef Walter stefw at redhat.com
Wed Aug 6 04:23:55 PDT 2014

I've done initial work on adding polkit support to systemd1 DBus
methods. You can see it here:


Basic rules:

 * Read access for everyone

 * Methods that modifies running unit state is controlled by a polkit
   action: org.freedesktop.systemd1.manage-units

 * Methods that modifies unit state files is controlled by a polkit
   action: org.freedesktop.systemd1.manage-unit-files

 * Many methods are only callable by root callers, like: Poweroff()
   Kexec() etc...

 * Job.Cancel() and Manager.CancelJob() are callable by the caller(s)
   that started the job.

 * Setting properties is only possible by root callers.

The way that each callback in sd-bus has to handle verification seems a
bit risky to me. So I've only opened up the specific interfaces I
touched in the DBus policy file.

Eventually the DBus policy file would go away, but hopefully sd-bus will
have a less risky way of verifying callers at that point.

I need to work on testing this. Will send a patch set when I'm done.

I'd be happy to add documentation here when we're done:




More information about the systemd-devel mailing list