gksudo

Run a command as a specific user

$ gksudo [[-u|--user]] [userid] [command]

$ gksudo [[-u|--user]] [userid] [[-k|--preserve-env]] [command]

$ gksu [[-u|--user]] [userid] [[-w|--su-mode]] [command]

$ gksudo [[-u|--user]] [userid] [[-S|--sudo-mode]] [command]

$ gksudo [[-u|--user]] [userid] [[-d|--debug]] [command]

gksudo [OPTIONS] COMMAND [ARGUMENTS...]

-u, --user user
    Specifies the target username to run the command as. If omitted, the command is run as root.

-D, --description description
    Sets the descriptive text shown in the graphical password dialog, helping users understand why a password is required.

-m, --message message
    Similar to --description, this option provides a custom message displayed to the user in the dialog.

--display display
    Specifies the X display to use for the graphical dialog. Useful in environments with multiple displays or when forwarding X.

--preserve-environment
    Instructs gksudo to pass the calling user's environment variables to the elevated command. Use with caution as it can introduce security risks.

--sudo-mode
    Tries to behave more like the standard sudo command, particularly concerning environment variable handling and privilege changes.

--disable-grab
    Prevents the graphical password dialog from grabbing the keyboard and mouse input, which can be useful in certain display environments.

gksudo is a graphical frontend for the sudo command, specifically designed to execute graphical applications with superuser privileges. Unlike directly using sudo in a terminal, which can lead to issues with X server permissions and environment variables (like DISPLAY and XAUTHORITY), gksudo ensures these necessary graphical environment variables are correctly set for the elevated process. It provides a user-friendly graphical password dialog, making the elevation of privileges more intuitive for GUI programs.

Historically, it was a staple in GTK-based desktop environments like GNOME for launching system configuration utilities, file managers, or other tools requiring root access. While it served a crucial role in enabling graphical root access, it has largely been superseded by pkexec, which offers a more secure and fine-grained approach to privilege escalation for graphical applications.

Deprecation: gksudo (and its counterpart gksu) is considered deprecated in modern Linux distributions. It is no longer actively maintained and has been removed from many distributions (e.g., Ubuntu since 18.04).

Security: Running entire graphical applications as root generally poses higher security risks than elevating privileges for specific, minimal actions. A compromise of a root-privileged GUI application can have widespread system impact.

Alternatives: For new applications and scripts, pkexec (part of PolicyKit/polkit) is the officially recommended and more secure alternative for graphical privilege escalation, offering more granular control and adhering to the principle of least privilege.

When sudo is used directly in a terminal to launch a graphical application (e.g., `sudo nautilus`), it often fails or causes unexpected behavior. This is because the elevated process typically loses access to the necessary X Window System environment variables (like `DISPLAY`) and authentication tokens (like `XAUTHORITY`). These are crucial for the application to connect to and display on the user's X server. gksudo was specifically designed to correctly set up this environment, ensuring the graphical application could run successfully with elevated privileges, thus bridging the gap between terminal `sudo` and graphical environments.

The move from gksudo to pkexec represents a significant shift in how graphical applications handle privileges. While gksudo runs the entire application as root, pkexec (leveraging PolicyKit) allows for more granular control. PolicyKit rules can be configured to grant specific permissions for specific actions or executables, often enabling an application to run mostly as the unprivileged user while only the critical, privilege-requiring parts interact with PolicyKit. This 'least privilege' model dramatically enhances security compared to gksudo's 'all or nothing' approach of running the whole GUI application as root.

gksudo emerged as part of the gksu package, primarily serving the GNOME desktop environment. Its development coincided with the increasing adoption of sudo as the preferred method for privilege escalation over su. It addressed the critical need for a safe and user-friendly way to launch graphical applications with root privileges, correctly handling the complexities of X server permissions and environment variables that direct terminal-based sudo often struggled with.

As desktop environments matured and security models evolved, particularly with the advent of PolicyKit (now polkit), gksudo began to be phased out. PolicyKit offered a more robust framework for authorization and privilege management, leading to pkexec becoming the standard, more secure, and fine-grained alternative, ultimately deprecating gksudo's role.

pkexec(1), sudo(8), gksu(1), su(1)