Ubuntu – How to configure pkexec

command linepkexecsudo

Reading these questions and answers:

brought me another one that will create problems for new users of that command:

  • How to configure pkexec for easy usage?

For example when doing the following:

(Opening a file in terminal)

pkexec nano /etc/mysql/my.cnf  

(Opening a file in GUI)

pkexec gedit /etc/mysql/my.cnf  

The last one gets the following error:

 pkexec must be setuid root

Now this brought me the following questions:

  1. How to configure pkexec to avoid getting this? Similar to how sudo/gksu behave when doing the same thing (they only ask for the password).

  2. If applicable, how to tell it to not ask for a password after the first time applying it to a command (or including the first command if configurable)?

  3. Where to save the configuration file if not yet existing?

  4. Is there a GUI app to configure pkexec usage (Policy Kit)?

Best Answer

How to configure pkexec to avoid getting errors when run GUI applications?

I found two possible ways:

  1. As you can see, using the following:


    will not get you any error. And this is normal because man pkexec is very clear in this matter:

           [...] pkexec will not allow you to run X11 applications
           as another user since the $DISPLAY and $XAUTHORITY environment
           variables are not set.[...]

    As result you can create an (permanent) alias (this is the simpliest way):

    alias pkexec='pkexec env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY'
  2. Or, (again) as man pkexec says:

           [...] These two variables will be retained if the
           org.freedesktop.policykit.exec.allow_gui annotation on an action is set
           to a nonempty value; this is discouraged, though, and should only be
           used for legacy programs.[...]

    you can create a new policy file in /usr/share/polkit-1/actions named com.ubuntu.pkexec.gedit.policy with the following xml code inside where the most important thing is to set org.freedesktop.policykit.exec.allow_gui to a nonempty value:

    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE policyconfig PUBLIC
      "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
      <action id="com.ubuntu.pkexec.gedit">
        <message gettext-domain="gparted">Authentication is required to run gedit</message>
        <annotate key="org.freedesktop.policykit.exec.path">/usr/bin/gedit</annotate>
        <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>

How to tell it to not ask for a password after the first time applying it to a command?

For these three setting tags: allow_any, allow_inactive and allow_active from the policy file, the following options are available:

  • no: The user is not authorized to carry out the action. There is therefore no need for authentication.
  • yes: The user is authorized to carry out the action without any authentication.
  • auth_self: Authentication is required but the user need not be an administrative user.
  • auth_admin: Authentication as an administrative user is require.
  • auth_self_keep: The same as auth_self but, like sudo, the authorization lasts a few minutes.
  • auth_admin_keep: The same as auth_admin but, like sudo, the authorization lasts a few minutes.

     Source: Polkit - Structure - Actions

So, if you use auth_admin_keep option (or, as applicable, auth_self_keep), pkexec will not ask for a password again for some time (by default this time is set to 5 minutes as I checked). The disadvantage here is that this thing is applicable only for one - the same - command / application and valid for all users (unless if it is overruled in later configuration).

Where to save the configuration file if not yet existing?

Configuration files or polkit definitions can be divided into two kinds:

  • Actions are defined in XML .policy files located in /usr/share/polkit-1/actions. Each action has a set of default permissions attached to it (e.g. you need to identify as an administrator to use the GParted action). The defaults can be overruled but editing the actions files is NOT the correct way. The name of this policy file should have this format:

  • Authorization rules are defined in JavaScript .rules files. They are found in two places: 3rd party packages can use /usr/share/polkit-1/rules.d (though few if any do) and /etc/polkit-1/rules.d is for local configuration. The .rules files designate a subset of users, refer to one (or more) of the actions specified in the actions files and determine with what restrictions these actions can be taken by that/those user(s). As an example, a rules file could overrule the default requirement for all users to authenticate as an admin when using GParted, determining that some specific user doesn't need to. Or isn't allowed to use GParted at all.

     Source: Polkit - Structure

Is there a GUI application to configure pkexec usage?

From what I know, until now (18.01.2014) doesn't exist something like this. If in the future I will find something, I will not forget to update this answer too.