Ubuntu – By default, who is allowed to gain root privileges with pkexec

policykitroot

I learned today that one can use pkexec from the command line, in a manner similar to sudo, to execute programs with root privileges. I am curious how pkexec decides who is allowed to do this.

The man page for pkexec(1) says

By default, the org.freedesktop.policykit.exec authorization is required unless an action definition file is present for the program in question.

This is a little challenging to parse for someone unfamiliar with policykit. But with a little guessing, let's have a look at /usr/share/polkit-1/actions/org.freedesktop.policykit.policy. In the org.freedesktop.policykit.exec section we see the string auth_admin.

Referring to polkit(8), we see:

auth_admin

Authentication by an administrative user is required.

Who exactly is an "administrative user" in this sense? What tests are done to determine whether a user is "administrative"? The config files get progressively harder to find and understand.

I am aware this is configurable. I want to know the default for, say, Ubuntu 15.04.

Best Answer

By default, it's the members of the sudo group, and the root user, by virtue of these files in /etc/polkit/localauthority.conf.d/:

$ tail /etc/polkit-1/localauthority.conf.d/*
==> /etc/polkit-1/localauthority.conf.d/50-localauthority.conf <==
# Configuration file for the PolicyKit Local Authority.
#
# DO NOT EDIT THIS FILE, it will be overwritten on update.
#
# See the pklocalauthority(8) man page for more information
# about configuring the Local Authority.
#

[Configuration]
AdminIdentities=unix-user:0

==> /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf <==
[Configuration]
AdminIdentities=unix-group:sudo;unix-group:admin

The first file grants access to UID 0 (root), and the second to the groups sudo and admin. admin isn't really used on Ubuntu, but sudo is, and it's the group used to grant access to sudo as well.

Related Question