PolicyKit is an authorization framework. It is typically used by
privileged user space daemons to control access.

See also the file HACKING for notes of interest to developers working
on PolicyKit.

See http://www.freedesktop.org/wiki/Software/PolicyKit for lots of
documentation, mailing lists, etc.

-------------------------------------------------------
Rationale for permissions/modes for the default backend
-------------------------------------------------------

0770 root:polkituser /var/run/PolicyKit
0770 root:polkituser /var/lib/PolicyKit

We store authorizations for each user here. Since we don't want users
to know what authorizations other users has, no one can read these
files. However, when checking authorizations we need to be able to
read from here; we use this helper

2755 root:polkituser /usr/libexec/polkit-read-auth-helper

which can read from here since it's setgid 'polkituser'. This helper
will refuse to return authorizations for other users than the calling
user except if the calling user is authorized for org.fd.pk.read.

We also want to be able to grant authorizations through authentication.
That happens with this helper

2755 root:polkituser /usr/libexec/polkit-grant-helper

This program is setgid 'polkituser' so it can write files in
/var/{run,lib}/PolicyKit. Note that these files are created with mode
464.

To do the actual authentication check when granting authorizations
through authentication, polkit-grant-helper uses another helper

4754 root:polkituser /usr/libexec/polkit-grant-helper-pam

This one is setuid root because checking authentications might need
require that (you may be checking the root password). The reason
polkit-grant-helper-pam is is owned by group 'polkituser' is to ensure
that random users can't execute it; only setgid 'polkituser' programs
can do this. Which polkit-grant-helper is.

On to

2755 root:polkituser /libexec/polkit-revoke-helper

This one is used to revoke authorizations. It will only allow uid 0 and
users with the org.fd.pk.revoke authorization to do so. It needs to be
setgid polkituser to be able to modify authorization files
in /var/{run,lib}/PolicyKit.

2755 root:polkituser /usr/libexec/polkit-explicit-grant-helper

Same story as for polkit-revoke-helper only this grants authorizations.
Only allowed for uid 0 and users with the org.fd.pk.grant authorization.

On to

0755 polkituser:root /var/lib/PolicyKit-public

This is where we store modifications to the defaults. Anyone should be
able to read these files. They are created with mode 644. These files
are written / modified by this helper

4755 polkituser:root /usr/libexec/polkit-set-default-helper

which is setuid polkituser to be able to write/modify files.

On to

4755 root:root /usr/libexec/polkit-resolve-exe-helper

This is used to find the executable name for a process. On Linux this is
the /proc/<pid>/exe symlink and you can only do this for processes you
own. This helper finds the executable name for processes not owned by
you but only if you have the org.fd.pk.read authorization. This is
important to let e.g. user 'haldaemon' check authorizations for a user
requesting service.

0664 polkituser:polkituser /var/lib/misc/PolicyKit.reload

This file is used by libpolkit to detect when something has changed
(authorizations granted/revoked, defaults changed etc.). It is
writable by both user 'polkituser' and group 'polkituser' because we
have helpers running with both euid 'polkituser' and egid 'polkituser'
that wants to trigger a reload.