Proper method to disable polkit.service on CentOS 7
Why?
My services are started via proper unit files or init scripts. I have no need for regular users to do anything special on my servers beyond su
. I am specifically looking for a way to completely shut down polkit without it starting up on it's own when other services are restarted.
I foresee a problem explaining this to auditors in our PCI environment as well. We have to describe the purpose of each service. We do not have a legit use case for polkit in a PCI environment.
Additional note: I did not install polkit. These servers have a very minimal install around 670MB on / It was a systemd update that appears to have installed polkit and the spec apparently has dependencies to all systemd managed services. Once it is installed, I have to rebuild the machine to remove it, just like trying to remove nss
once you install it. My concern is that if I force the unstall, it may have left files that will trip up systemd that assumes it is there.
What I have tried:
Create /etc/polkit-1/rules.d/99-deny-all.rules
with
polkit.addRule(function(action, subject) {
return polkit.Result.YES;
});
Then
systemctl daemon-reload && systemctl daemon-reexec
This does nothing, /usr/lib/polkit-1/polkitd --no-debug
continues to start when other services under systemd are restarted.
[ Update ] As Alexander mentioned, restarting polkit will apply the settings to polkit itself and that is good, but I am looking for a way to tell polkit to not start that does not break other services.
[ update 2 ] This may actually prevent some services from re-starting correctly.
Mask or disable the service:
This causes other services to hang on startup and shutdown, waiting for polkit.
Edit /usr/share/dbus-1/sstem-services/org.freedesktop.PolicyKit1.service
with:
[snip]
Exec=/bin/false
[snip]
Then
systemctl daemon-reload && systemctl daemon-reexec
This does nothing, /usr/lib/polkit-1/polkitd --no-debug
continues to start when other services under systemd are restarted.
I have read the man pages a couple times. It's probably something really simple I am missing. My preference would be for a method that persists after systemd package updates.
The end goal I am looking for is for polkit.service to not start when other daemons are restarted, such as unbound, bind, dhcp, etc.
Solution 1:
Update
Redhat have changed the RPM dependencies around Polkit. It can now be uninstalled from servers even if something had pulled it in during prior upgrades or installations.
I am now able to uninstall Polkit from servers that other folks built as of CentOS 7.6.
It is still required on Workstations and that appears to be appropriate for desktop usage.
Solution 2:
After adding rules to /etc/polkit-1/rules.d/99-deny-all.rules
you should restart polkit service by systemctl restart polkit
. After this systemctl would execute any requests from non-priveleged user.