Ubuntu – How to configure pkexec

command linepkexecsudo

Reading these questions and answers:

brought me another one that will create problems for new users of that command:

How to configure pkexec for easy usage?

For example when doing the following:

(Opening a file in terminal)

pkexec nano /etc/mysql/my.cnf

(Opening a file in GUI)

pkexec gedit /etc/mysql/my.cnf

The last one gets the following error:

 pkexec must be setuid root

Now this brought me the following questions:

How to configure pkexec to avoid getting this? Similar to how sudo/gksu behave when doing the same thing (they only ask for the password).
If applicable, how to tell it to not ask for a password after the first time applying it to a command (or including the first command if configurable)?
Where to save the configuration file if not yet existing?
Is there a GUI app to configure pkexec usage (Policy Kit)?

Best Answer

How to configure `pkexec` to avoid getting errors when run GUI applications?

I found two possible ways:

As you can see, using the following:

pkexec env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY gedit

will not get you any error. And this is normal because man pkexec is very clear in this matter:

       [...] pkexec will not allow you to run X11 applications
       as another user since the $DISPLAY and $XAUTHORITY environment
       variables are not set.[...]

As result you can create an (permanent) alias (this is the simpliest way):

alias pkexec='pkexec env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY'

Or, (again) as man pkexec says:

       [...] These two variables will be retained if the
       org.freedesktop.policykit.exec.allow_gui annotation on an action is set
       to a nonempty value; this is discouraged, though, and should only be
       used for legacy programs.[...]

you can create a new policy file in /usr/share/polkit-1/actions named com.ubuntu.pkexec.gedit.policy with the following xml code inside where the most important thing is to set org.freedesktop.policykit.exec.allow_gui to a nonempty value:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
  "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
  "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
<policyconfig>

  <action id="com.ubuntu.pkexec.gedit">
    <message gettext-domain="gparted">Authentication is required to run gedit</message>
    <icon_name>gedit</icon_name>
    <defaults>
      <allow_any>auth_admin</allow_any>
      <allow_inactive>auth_admin</allow_inactive>
      <allow_active>auth_admin</allow_active>
    </defaults>
    <annotate key="org.freedesktop.policykit.exec.path">/usr/bin/gedit</annotate>
    <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>
  </action>

</policyconfig>

How to tell it to not ask for a password after the first time applying it to a command?

For these three setting tags: allow_any, allow_inactive and allow_active from the policy file, the following options are available:

no: The user is not authorized to carry out the action. There is therefore no need for authentication.
yes: The user is authorized to carry out the action without any authentication.
auth_self: Authentication is required but the user need not be an administrative user.
auth_admin: Authentication as an administrative user is require.
auth_self_keep: The same as auth_self but, like sudo, the authorization lasts a few minutes.
auth_admin_keep: The same as auth_admin but, like sudo, the authorization lasts a few minutes.

^{Source: Polkit - Structure - Actions}

So, if you use auth_admin_keep option (or, as applicable, auth_self_keep), pkexec will not ask for a password again for some time (by default this time is set to 5 minutes as I checked). The disadvantage here is that this thing is applicable only for one - the same - command / application and valid for all users (unless if it is overruled in later configuration).

Where to save the configuration file if not yet existing?

Configuration files or polkit definitions can be divided into two kinds:

Actions are defined in XML .policy files located in /usr/share/polkit-1/actions. Each action has a set of default permissions attached to it (e.g. you need to identify as an administrator to use the GParted action). The defaults can be overruled but editing the actions files is NOT the correct way. The name of this policy file should have this format:
```
com.ubuntu.pkexec.app_name.policy
```
Authorization rules are defined in JavaScript .rules files. They are found in two places: 3rd party packages can use /usr/share/polkit-1/rules.d (though few if any do) and /etc/polkit-1/rules.d is for local configuration. The .rules files designate a subset of users, refer to one (or more) of the actions specified in the actions files and determine with what restrictions these actions can be taken by that/those user(s). As an example, a rules file could overrule the default requirement for all users to authenticate as an admin when using GParted, determining that some specific user doesn't need to. Or isn't allowed to use GParted at all.

^{Source: Polkit - Structure}

Is there a GUI application to configure `pkexec` usage?

From what I know, until now (18.01.2014) doesn't exist something like this. If in the future I will find something, I will not forget to update this answer too.

Solution

Install lxpolkit.
sudo apt-get install lxpolkit
Logout and login.
Set lxpolkit as default policy agent
In the menu, go to Preferences > Default applications for LXSession (or run lxsession-default-apps in a terminal). In the first section "Running applications" (Update: Default apps manager 14.10 is different. Use the Core applications tab.), go to the option for Polkit agent and make sure lxpolkit is selected.

Instead of using the package policykit-1-gnome, lxsession will now use lxpolkit for LXDE.

LXPolkit screenshot

Why Apps Launched With `pkexec` Don't Run From the LXDE Menu

It comes down to the way apps in the X11 system are launched with pkexec.

The apps that appear in the lxpanel menu are stored and configured in either /usr/share/applications (global menus items) or ~/.local/share/applications (user specific). See LXDE Wiki - Main Menu

In these directories you will find a .desktop file for each of the applications appearing in your menu. Here is an example of /usr/share/applications/synaptic.desktop:

[Desktop Entry]
Name=Synaptic Package Manager
GenericName=Package Manager
Comment=Install, remove and upgrade software packages
Exec=synaptic-pkexec
Icon=synaptic
Terminal=false
Type=Application
Categories=PackageManager;GTK;System;Settings;
NotShowIn=KDE;
X-Ubuntu-Gettext-Domain=synaptic

Notice the line Exec=synaptic-pkexec.

In the absence of a policy kit interface, the user is normally asked for a password in the command line. Since this is a menu item, this is launched in the background and there is no command line to enter the password. Hence, you need to make sure you are using lxpolkit. Or if you prefer the gnome polkit, install the package policykit-1-gnome which launches the login menu whenever pkexec is used. I have removed the package policykit-1-gnome and using lxpolkit works well for all applications.

Alternative Solutions

Use gksudo Instead of pkexec
You could right-click applications like synaptic in the menu, click Properties, and change the Command field from synaptic-pkexec to gksudo synaptic. Or via command line, copy the original file to your user's applications directory with sudo cp /usr/share/applications/synaptic.desktop ${HOME}/.local/share/applications/synaptic.desktop

Then edit the line Exec=synaptic-pkexec and replace it with Exec=gksudo synaptic

gksudo's "primary purpose is to run graphical commands that need root without the need to run an X terminal emulator and using su directly." - GKSU(1)

And for good reason! See Running Sudo Graphically.

This of course requires that every application relying on pkexec be edited to launch with gksudo which requires more work on your part if you're using lxpanel. A nice comparison of security and usability features for gksudo and PolicyKit can be found at Comparison of privilege authorization features.

Write Your Own pkexec Policy For Individual Applications
This is more than I want to do, but it may be useful in some situations. I don't recommend doing this without a strong understanding of writing PolicyKit Actions.

The actions available to you via polkit will depend on the packages you have installed. Some are used in multiple desktop environments (org.freedesktop.), some are DE-specific (org.gnome.) and some are specific to a single program (org.archlinux.pkexec.gparted.policy). The command pkaction lists all the actions defined in /usr/share/polkit-1/actions for quick reference.

Here's an example, which I have not tested, from City-busz -Using 'pkexec' command instead of 'gksu':

E.g. if you want to run gparted as root with

$ pkexec gparted

command, then create a new file

/usr/share/polkit-1/actions/org.freedesktop.policykit.pkexec.policy

with the following content:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
 "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
<policyconfig>

  <action id="org.freedesktop.policykit.pkexec.run-gparted">
    <description>Run GParted</description>
    <message>Authentication is required to run GParted</message>
    <defaults>
      <allow_any>no</allow_any>
      <allow_inactive>no</allow_inactive>
      <allow_active>auth_admin_keep</allow_active>
    </defaults>
    <annotate key="org.freedesktop.policykit.exec.path">/usr/sbin/gparted</annotate>
    <annotate key="org.freedesktop.policykit.exec.allow_gui">TRUE</annotate>
  </action>

</policyconfig>

More actions can be added into the same file.

Hat tip to renegat at archlinux.org for compiling relevant excerpts from related LXDE and PolicyKit documentation that ultimately led me to using LXPolkit as the preferred solution.

Ubuntu – use pkexec in a python script or a .desktop file

First create a .policy action file in /usr/share/polkit-1/actions/. It's conventional to name action files in a "vendor hierarchical" way, such as com.ubuntu.pkexec.gparted.policy or org.debian.apt.policy

Then paste the following content:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
 "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">

<policyconfig>

  <action id="org.freedesktop.policykit.pkexec.run-[Short Program Name]">
    <description>Run [Full Program Name]</description>
    <message>Authentication is required to run [Full Program Name]</message>
    <defaults>
      <allow_any>no</allow_any>
      <allow_inactive>no</allow_inactive>
      <allow_active>auth_admin_keep</allow_active>
    </defaults>
    <annotate key="org.freedesktop.policykit.exec.path">[Full Program Path]</annotate>
    <annotate key="org.freedesktop.policykit.exec.allow_gui">TRUE</annotate>
  </action>

</policyconfig>

Replace [Short/Full Program Name/Path] with appropriate values, for example gedit, gedit Text Editor and /usr/bin/gedit. <action id> value does not need to match the chosen filename (and a single file can contain multiple actions), but conventionally filename is the prefix for all its actions.

After saving the file the specific program would run with X and GUI and such.

Another fix seems to be: Add the following line in /etc/pam.d/polkit-1:

session optional pam_xauth.so

Best Answer

How to configure pkexec to avoid getting errors when run GUI applications?

How to tell it to not ask for a password after the first time applying it to a command?

Where to save the configuration file if not yet existing?

Is there a GUI application to configure pkexec usage?

Related Solutions

Ubuntu – pkexec won’t launch polkit GUI in Lubuntu / LXDE