{{Header}}
{{Title|title=
Polkit (formerly PolicyKit)
}}
{{#seo:
|description=Polkit is a component for managing system-wide permissions on Linux systems, including security implications and configuration details.
}}
{{intro|
<code>Polkit</code> (formerly <code>PolicyKit</code>) provides a centralized way to define and manage policy rules for privileged operations performed by users on Linux systems. This documentation explains its role, potential issues when disabled, and methods for managing it.
}}
= Introduction =
{{stub}}

= Issues when disabling Polkit =

* Reboot and poweroff from the GUI are no longer possible. <ref>
This is because systemd treats rebooting as a privileged operation.
</ref>
* Removable media can no longer be mounted, as <code>udisksd</code> treats removable media mounting as a privileged operation.
* Graphical user creation tools (e.g. <code>users-admin</code> from <code>gnome-system-tools</code>) no longer function properly. <ref>
Probably because <code>accountsservice</code> treats user creation as a privileged operation.
</ref>
* Flatpaks can no longer be installed user-locally. (<code>flatpak --user install</code>) <ref>
Flatpak installation errors out:

<pre>
Warning: Failed to get revokefs-fuse socket from system-helper: Failed to activate service 'org.freedesktop.Flatpak.SystemHelper': timed out (service_start_timeout=25000ms)
Warning: Failed to activate service 'org.freedesktop.Flatpak.SystemHelper': timed out (service_start_timeout=25000ms)
Warning: Failed to get revokefs-fuse socket from system-helper: Failed to activate service 'org.freedesktop.Flatpak.SystemHelper': timed out (service_start_timeout=25000ms)
Warning: Failed to activate service 'org.freedesktop.Flatpak.SystemHelper': timed out (service_start_timeout=25000ms)
Warning: Failed to get revokefs-fuse socket from system-helper: Failed to activate service 'org.freedesktop.Flatpak.SystemHelper': timed out (service_start_timeout=25000ms)
Warning: Failed to activate service 'org.freedesktop.Flatpak.SystemHelper': timed out (service_start_timeout=25000ms)
Warning: Failed to get revokefs-fuse socket from system-helper: Failed to activate service 'org.freedesktop.Flatpak.SystemHelper': timed out (service_start_timeout=25000ms)
error: Failed to install org.gnome.Platform: Failed to activate service 'org.freedesktop.Flatpak.SystemHelper': timed out (service_start_timeout=25000ms)
</pre>
</ref>
* Network configuration via <code>nmtui</code> or similar tools (likely including the network widget in the panel) will probably no longer be configurable, as NetworkManager treats network reconfiguration as a privileged operation.
* System usually takes longer to boot, likely due to processes repeatedly failing to start polkit.

= Disabling Polkit =
Disabling Polkit can be useful for security hardening inside browser-only VMs or other scenarios where a user is not expected to perform any privileged operations via polkit.

How to disable polkit as an opt-in hardening option? [[Undocumented]].

= Development =
Polkit could be disabled using a systemd drop-in configuration snippet, modifying <code>polkit.service</code> by adding <code>ConditionKernelCommandLine</code> or a similar parameter to prevent polkit from starting in user sessions (outside of the [[sysmaint]] session).

[[Untested]].

{{Open with root rights|filename=
/usr/lib/systemd/system/polkit.service.d/99_sysmaint.conf
}}

Paste.

{{CodeSelect|code=
ConditionKernelCommandLine=boot-role=sysmaint
}}

Save.

Reboot.

Done.

<code>polkit.service</code> should now only be running in sysmaint session.

= Forum Discussion =
* https://forums.kicksecure.com/t/investigate-security-suid-impact-of-polkitd-and-policykit-libraries/1075

= Footnotes =
{{reflist|close=1}}
{{Footer}}
[[Category:Documentation]]