I learned today that one can use pkexec
from the command line, in a manner similar to sudo
, to execute programs with root privileges. I am curious how pkexec
decides who is allowed to do this.
The man page for pkexec(1)
says
By default, the org.freedesktop.policykit.exec authorization is required unless an action definition file is present for the program in question.
This is a little challenging to parse for someone unfamiliar with policykit. But with a little guessing, let's have a look at /usr/share/polkit-1/actions/org.freedesktop.policykit.policy
. In the org.freedesktop.policykit.exec
section we see the string auth_admin
.
Referring to polkit(8)
, we see:
auth_admin
Authentication by an administrative user is required.
Who exactly is an "administrative user" in this sense? What tests are done to determine whether a user is "administrative"? The config files get progressively harder to find and understand.
I am aware this is configurable. I want to know the default for, say, Ubuntu 15.04.
Best Answer
By default, it's the members of the
sudo
group, and the root user, by virtue of these files in/etc/polkit/localauthority.conf.d/
:The first file grants access to UID 0 (
root
), and the second to the groupssudo
andadmin
.admin
isn't really used on Ubuntu, butsudo
is, and it's the group used to grant access tosudo
as well.