pkexec - how do I set a custom timeout for auth_admin_keep when writting a pkexec policy

Question

I was just reading the reference manual written by David Z for pkexec on freedesktop.org:

https://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html

and

https://www.freedesktop.org/software/polkit/docs/latest/pkexec.1.html

Manual says that using the auth_admin_keep option will only keep your password for 5 to 15 minutes and that if we want to set custom timeouts we have write custom rules.

Would anyone know how I can go about writing a custom rules for the timeout? I tried to follow along with the manual but I'm not a coder and I wasn't being able to understand the synthax, no were there any mentions made of timeout related synthax.

Answer 1

Unfortunately the timeout appears to be hard-coded as 5 minutes in the PolicyKit upstream source, in file src/polkitbackend/polkitbackendinteractiveauthority.c.

On lines 3231-3236 it says:

/* TODO: right now the time the temporary authorization is kept is hard-coded - we
 *       could make it a propery on the PolkitBackendInteractiveAuthority class (so
 *       the local authority could read it from a config file) or a vfunc
 *       (so the local authority could read it from an annotation on the action).
 */
 expiration_seconds = 5 * 60;

So, the timeout is set to 5 minutes within the source code, and there are currently no provisions for changing it without recompiling the appropriate parts of PolicyKit.

On the other hand, OpenSuSE Leap 15 seems to have extended this functionality. They seem to have re-interpreted the ..._keep actions to mean "remember authentication while the asking process is running", and added ..._keep_session and ..._keep_always actions to mean "remember for the entirety of this specific login session" and "remember forever", respectively.