Ubuntu – pkexec won’t launch polkit GUI in Lubuntu / LXDE

lubuntulxdeopenboxpkexecpolicykit

I performed a fresh install of Lubuntu 12.04 with minimal desktop, as described here.

To clarify, I did a command-line install from the Lubuntu alternative install disc, then I did an apt-get install --no-install-recommends lubuntu-desktop.

Everything is working fine, except that Synaptic will not run from the menu entry in the panel. I am not prompted for a password, and no window of any sort appears after clicking the menu entry. I installed lxshortcut to see what the shortcut was running, and the command is synaptic-pkexec. If I type this command into the "Run" menu, I get the same behavior (or lack thereof).

I can get Synaptic to open up just fine by typing gksudo synaptic at the "Run" menu. Also, if I run "synaptic-pkexec" from the terminal, then I am prompted for my password within the terminal, and after that Synaptic opens normally.

Can someone please suggest the right way to get Synaptic working? I could just change the menu entry to "gksudo synaptic", but I'm guessing that it's set to synaptic-pkexec for a reason. I have a vague understanding that this pkexec business has something to do with PolicyKit, but I don't really know what PolicyKit is or how to tell if something is broken with it.

Best Answer

I am using an alternative solution to the accepted answer. I prefer using lxpolkit instead of policykit-1-gnome since it is designed for LXDE.

This problem with pkexec not launching the authentication screen is very common. The first thing to check is whether you have a graphical policy kit interface (either lxpolkit or policykit-1-gnome) installed and configured for LXDE because these packages are flagged to be removed during a major upgrade of lubuntu. Apparently neither are included when installing the distro.

Solution

  • Install lxpolkit.
    sudo apt-get install lxpolkit

  • Logout and login.

  • Set lxpolkit as default policy agent
    In the menu, go to Preferences > Default applications for LXSession (or run lxsession-default-apps in a terminal). In the first section "Running applications" (Update: Default apps manager 14.10 is different. Use the Core applications tab.), go to the option for Polkit agent and make sure lxpolkit is selected.

Instead of using the package policykit-1-gnome, lxsession will now use lxpolkit for LXDE.

LXPolkit screenshot

Why Apps Launched With pkexec Don't Run From the LXDE Menu

It comes down to the way apps in the X11 system are launched with pkexec.

The apps that appear in the lxpanel menu are stored and configured in either /usr/share/applications (global menus items) or ~/.local/share/applications (user specific). See LXDE Wiki - Main Menu

In these directories you will find a .desktop file for each of the applications appearing in your menu. Here is an example of /usr/share/applications/synaptic.desktop:

[Desktop Entry]
Name=Synaptic Package Manager
GenericName=Package Manager
Comment=Install, remove and upgrade software packages
Exec=synaptic-pkexec
Icon=synaptic
Terminal=false
Type=Application
Categories=PackageManager;GTK;System;Settings;
NotShowIn=KDE;
X-Ubuntu-Gettext-Domain=synaptic

Notice the line Exec=synaptic-pkexec.

In the absence of a policy kit interface, the user is normally asked for a password in the command line. Since this is a menu item, this is launched in the background and there is no command line to enter the password. Hence, you need to make sure you are using lxpolkit. Or if you prefer the gnome polkit, install the package policykit-1-gnome which launches the login menu whenever pkexec is used. I have removed the package policykit-1-gnome and using lxpolkit works well for all applications.

Alternative Solutions

Use gksudo Instead of pkexec
You could right-click applications like synaptic in the menu, click Properties, and change the Command field from synaptic-pkexec to gksudo synaptic. Or via command line, copy the original file to your user's applications directory with sudo cp /usr/share/applications/synaptic.desktop ${HOME}/.local/share/applications/synaptic.desktop

Then edit the line Exec=synaptic-pkexec and replace it with Exec=gksudo synaptic

gksudo's "primary purpose is to run graphical commands that need root without the need to run an X terminal emulator and using su directly." - GKSU(1)

And for good reason! See Running Sudo Graphically.

This of course requires that every application relying on pkexec be edited to launch with gksudo which requires more work on your part if you're using lxpanel. A nice comparison of security and usability features for gksudo and PolicyKit can be found at Comparison of privilege authorization features.

Write Your Own pkexec Policy For Individual Applications
This is more than I want to do, but it may be useful in some situations. I don't recommend doing this without a strong understanding of writing PolicyKit Actions.

The actions available to you via polkit will depend on the packages you have installed. Some are used in multiple desktop environments (org.freedesktop.), some are DE-specific (org.gnome.) and some are specific to a single program (org.archlinux.pkexec.gparted.policy). The command pkaction lists all the actions defined in /usr/share/polkit-1/actions for quick reference.

Here's an example, which I have not tested, from City-busz -Using 'pkexec' command instead of 'gksu':

E.g. if you want to run gparted as root with

$ pkexec gparted

command, then create a new file

/usr/share/polkit-1/actions/org.freedesktop.policykit.pkexec.policy

with the following content:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
 "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
<policyconfig>

  <action id="org.freedesktop.policykit.pkexec.run-gparted">
    <description>Run GParted</description>
    <message>Authentication is required to run GParted</message>
    <defaults>
      <allow_any>no</allow_any>
      <allow_inactive>no</allow_inactive>
      <allow_active>auth_admin_keep</allow_active>
    </defaults>
    <annotate key="org.freedesktop.policykit.exec.path">/usr/sbin/gparted</annotate>
    <annotate key="org.freedesktop.policykit.exec.allow_gui">TRUE</annotate>
  </action>

</policyconfig>

More actions can be added into the same file.

Hat tip to renegat at archlinux.org for compiling relevant excerpts from related LXDE and PolicyKit documentation that ultimately led me to using LXPolkit as the preferred solution.

Related Question