How do I prevent PolicyKit from asking for a password?

password sudo policykit
33,069

Solution 1

You can use the same technique Ubuntu's Live CD uses by tricking PolicyKit and suppressing ALL password prompts by substituting the action with a wildcard.

DISCLAIMER: The following will suppress ALL password prompts globally for everyone belonging to the admin group, with the exception of the login screen. It is EXTREMELY dangerous and should NEVER be implemented because chances are YOU WILL END UP BREAKING YOUR SYSTEM!!

Don't say you weren't warned!

NOTE: If you are running 12.04 or later, substitute "admin" with "sudo"!

Replace "username" with your actual user name:

usermod -aG admin username

Switch to root:

sudo -i

Create a new policy:

gedit /var/lib/polkit-1/localauthority/50-local.d/disable-passwords.pkla

Add the following:

[Do anything you want]
Identity=unix-group:admin
Action=*
ResultActive=yes

Save and exit. Then go try something that usually requires a password. :)

NOTE: It doesn't matter what you use as your .pkla file name. You can name it anything you want.

And last, this is the ONLY policy you'll need when it comes to suppressing password prompts because again, it does so globally.

Solution 2

You can create a .pkla, either an all in one or a couple based on action groups, doesn't really matter.

For reference look in /usr/share/polkit-1/actions, open interested ones in a text editor to get action id's.

As far as a .pkla or 2 I find the best place to put them is here, it will be protected from any updates 

/var/lib/polkit-1/localauthority/50-local.d

So for example here is my main one, named package-manager.pkla though it extends a bit further than just package management policy's

[Install package file]
Identity=unix-group:admin
Action=org.debian.apt.install-file;org.debian.apt.update-cache;org.debian.apt.install-or-remove-packages;org.debian.apt.upgrade-packages
ResultActive=yes

[Install package synaptic]
Identity=unix-group:admin
Action=com.ubuntu.pkexec.synaptic
ResultActive=yes

[Change add repo]
Identity=unix-group:admin
Action=com.ubuntu.softwareproperties.applychanges;org.debian.apt.change-repository
ResultActive=yes

[usbcreator format]
Identity=unix-group:admin
Action=com.ubuntu.usbcreator.format
ResultActive=yes

[Install bootloader]
Identity=unix-group:admin
Action=com.ubuntu.usbcreator.bootloader
ResultActive=yes

[Add users]
Identity=unix-group:admin
Action=org.freedesktop.accounts.user-administration
ResultActive=yes

Note that starting in 12.04 the group used for "admin" user should be changed to sudo, ie. 

Identity=unix-group:sudo

Also note that actions can be strung together per section, no spaces, use a ; in between id's

Share:
33,069

Related videos on Youtube

Scott Severance
Author by

Scott Severance

My first Linux experience was in 1998 (via telnet into my university's server to read my email with PINE). I've run Linux on my own machines off and on since 1999 and exclusively since 2006. My first distro was Slackware, which I quickly broke. I then went back to Windows 95. After that, my friend helped me install Debian, which I used until I replaced that machine. I found Debian too difficult to install on my own, so I put Red Hat on my newer machine. At that time, yum didn't exist, and Red Hat only offered updates if I logged in to X as root, which I rarely did. So, it quickly became outdated, and OpenOffice 1.1 couldn't handle right-to-left text, which I needed for one of my university classes. So, I started using my Windows XP laptop most of the time. I couldn't install Linux on the laptop because the NTFS tools of the era couldn't resize my partition. After a couple of years, I decided to switch my Red Hat box to something more modern. I wanted to move away from the RPM package format, so I tried installing Debian again and once again found it too complicated to get all the features I needed. Then, I read about an up and coming Debian-based distro called Ubuntu that had just released their latest version. So, I installed 6.06 (Dapper Drake) and have used Ubuntu exclusively as my main OS all my machines since that time. I only boot into Windows a few times a year. I've tried a few other distros' live CDs, but so far have always decided that the benefits of those distros aren't significant enough for me to switch over. For the first many years, I used the command line most of the time, as early Linux GUIs weren't up to many basic tasks. These days, the GUI tools have made leaps and bounds and are quite usable. Nevertheless, I often prefer the command line for many tasks. I'm much more likely to use vim than Gedit. But, I quite appreciate GUI tools for a number of tasks--perhaps most tasks these days. SOreadytohelp

Updated on September 18, 2022

Comments

  • Scott Severance
    Scott Severance almost 2 years

    For years, I've had the following in my sudoers file:

    scott   ALL=NOPASSWD: ALL

    For those who don't know, this prevents sudo and friends (gksudo, etc.) from asking for a password. However, over the years, more and more stuff that once used sudo has been switched to using PolicyKit.

    I'm looking for an equivalent configuration for PolicyKit, such that it'll never ask me for my password.

    For those who don't like my request, let me say this: I understand the reasons for the default configuration, and they are sound. I also understand the risks inherent in the configuration I want to make. Nevertheless, it's the way I want to set up my system. Those who don't fully understand the above shouldn't attempt what I'm attempting.

  • Scott Severance
    Scott Severance over 12 years
    It looks like you're making settings for each program individually. That seems rather tedious, especially if I later install some other program that wants to use PolicyKit. I'm looking for a way to make a global configuration change that affects everything.
  • Kenny Rasschaert
    Kenny Rasschaert over 10 years
    This also works on Fedora when you substitute the admin group with wheel. Thanks!
  • user541686
    user541686 almost 10 years
    Could someone describe how exactly this will "break" the system?
  • blueFast
    blueFast about 9 years
    Yes, please. How will this break the system? Not this! Something stupid that you do after this will break the system, but not this! This will allow you to do anything on the host without password. If you do something stupid, you'll break the system. If you have to put the password and you do something stupid, you will break the system. This, per-se, just makes it a bit easier to do something stupid.
  • bcbc
    bcbc about 9 years
    @jeckyll2hide Read the NOTE - it explains why the OP chose [Install package file]. Either you disagree with this and the NOTE requires a similar edit, or your edit is invalid and should be rolled back.
  • blueFast
    blueFast about 9 years
    @bcbc: not sure about that: first, that worked for me; second: what must match the list of policies is the Action=* field (in this case * which means any action), but not the title of the text which, afaik is free text.
  • bcbc
    bcbc about 9 years
    @jeckyll2hide right, if it works as per your edit, then the NOTE is wrong and should be removed. Leaving it in doesn't make sense.
  • ccd
    ccd over 7 years
    what if you just want to suppress for a particular user? and not necessarily admins
  • Scott
    Scott over 7 years
    @prusswan you can use Identity=unix-user:scott to only allow the user "scott" to do the action. Also if you want to just allow certain actions, you can grep /var/log/auth.log and polkitd will output the full name of the polkit you were trying when you were prompted for your password. cat /var/log/auth.log | grep polkitd will give you a pretty quick list of them
  • Suncatcher
    Suncatcher about 6 years
    For some reason created pkla file is not working on my system. I have polkit 0.105 and 18.04. How to debug what is wrong?
  • y o
    y o over 4 years
    "It is EXTREMELY dangerous" ... then maybe don't make those users admins!

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to disable the password prompts?
How to get GUI sudo password prompt without command line?
How to prevent system applications (like the Software Center) from asking for password?
Sudo is not asking for password on Ubuntu 16.04
Terminal problems entering password
I cannot enter my password when using sudo to install Sophos AV for Linux
Changed root password on my server, now can't login anymore
Run script with arguments as sudo without being asked for password
Is there any difference between sudo password and the one I used to login?
Ubuntu Server Automatically Insert Password Using Python3