Ubuntu – How to let Polkit request root password instead users password

passwordpolicykitrootsudo

I'm seeking for kind of old style solution: I need to cause all elevated priviledges platform on Ubuntu machine to request target user/root password instead of asking for calling user password.

I've managed to set target user setting for sudo, still, applications using the Polkit for extended priviledges are requesting the user password by default.

I've seen multiple users of other distros seeking opposite solution, to let Polkit use user password instead of root password, still no clear answer is achieved!

Any assistanse is highly appreciated!

Best Answer

This behavior is controlled by PolicyKit's LocalAuthority configuration. From the ADMINISTRATOR AUTHENTICATION section of man pklocalauthority:

   By default, "administrator authentication" is defined as asking for the
   root password. Since some systems, for usability reasons, don't have a
   root password and instead rely on a group of users being member of an
   administrative group that gives them super-user privileges, the Local
   Authority can be configured to support this use-case as well.

   Configuration for the Local Authority is read from files in the
   /etc/polkit-1/localauthority.conf.d directory. All files are read in
   lexigraphical order (using the C locale) meaning that later files can
   override earlier ones. The file 50-localauthority.conf contains the
   settings provided by the OS vendor. Users and 3rd party packages can
   drop configuration files with a priority higher than 60 to change the
   defaults.

At least in my (18.04) Ubuntu system, the two relevant files are 50-localauthority.conf and 51-ubuntu-admin.conf:

$ head /etc/polkit-1/localauthority.conf.d/*
==> /etc/polkit-1/localauthority.conf.d/50-localauthority.conf <==
# Configuration file for the PolicyKit Local Authority.
#
# DO NOT EDIT THIS FILE, it will be overwritten on update.
#
# See the pklocalauthority(8) man page for more information
# about configuring the Local Authority.
#

[Configuration]
AdminIdentities=unix-user:0

==> /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf <==
[Configuration]
AdminIdentities=unix-group:sudo;unix-group:admin

So, in order to revert to the PolicyKit default, which uses AdminIdentities=unix-user:0 (i.e. root) instead of the Ubuntu default AdminIdentities=unix-group:sudo;unix-group:admin (i.e. members of sudo and/or admin groups), it's sufficient to either rename the 51-ubuntu-admin.conf file so that it is loaded earlier or not at all - for example

sudo mv /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf{,.ignore}

or comment out the AdminIdentities entry therein. The former option is perhaps cleaner and more maintainable.

Related Question