pkcheck

pkcheck [OPTIONS] --action-id ACTION_ID [DETAILS...]

--allow-user-interaction
    Allow polkit to query the user for authentication if necessary. This might lead to a graphical or text-based prompt.

--enable-session
    Enable session-specific authorization mechanisms, which are rarely used directly with pkcheck.

--system-bus-name NAME
    Specify the D-Bus system bus name of the process whose authorization is being checked.

--system-bus-pid PID
    Specify the PID of the process connected to the D-Bus system bus, whose authorization is being checked.

--process PROCESS_PID
    Specify the PID of the process whose authorization is being checked.

--process-id PROCESS_ID
    Alias for --process, specifying the PID of the process to check.

--caller-pid CALLER_PID
    Specify the PID of the calling process. By default, this is the parent process of pkcheck.

--action-id ACTION_ID
    (Required) The unique identifier of the action for which authorization is to be checked (e.g., org.freedesktop.systemd1.restart-unit).

DETAIL KEY VALUE...
    One or more key-value pairs providing additional context for the authorization check. These details are specific to the action being checked.

pkcheck is a command-line tool used to determine if a specific process is authorized to perform a particular PolicyKit (polkit) action. Polkit provides a framework for system-wide authorization, enabling unprivileged applications to interact securely with privileged system services. pkcheck queries the polkitd daemon, providing details about the requesting process (e.g., PID, D-Bus identity) and the requested action's identifier (ACTION_ID), along with any relevant context. It is frequently employed by applications or scripts to programmatically verify permissions before attempting operations that require elevated privileges. The command returns an exit code indicating whether authorization was granted, denied, or if an error occurred during the check. It can optionally allow user interaction (e.g., a password prompt) if configured by polkit rules.

• pkcheck relies on the polkitd daemon running. If the daemon is inactive, the command will fail with an error exit code (2).
• Authorization decisions are entirely determined by polkit's configured policy rules, which can be complex and depend on various factors like user groups, process context, and the specific action details.
• Using the --allow-user-interaction flag in scripts requires careful handling, as it may result in blocking prompts requiring manual input.

pkcheck returns specific exit codes indicating the result of the authorization check:

• 0: The process is authorized to perform the action.
• 1: The process is not authorized to perform the action.
• 2: An error occurred and the authorization check could not be completed (e.g., the polkitd daemon is not running).

• To check if the current process can shut down the system without requiring user interaction:
  pkcheck --action-id org.freedesktop.login1.power-off
• To check if a specific PID (e.g., 1234) can install software, allowing for user interaction if needed:
  pkcheck --process 1234 --allow-user-interaction --action-id org.freedesktop.packagekit.install-comps
• To check if the current user can change the system hostname, providing a detail:
  pkcheck --action-id org.freedesktop.hostname1.set-hostname --details hostname 'my_new_host'

pkcheck is an integral component of the PolicyKit (later renamed to polkit) framework, initially developed by David Zeuthen at Red Hat. PolicyKit was introduced to provide a more granular and flexible authorization system compared to traditional Unix permissions and sudo.
It became a standard component in many Linux distributions, especially those utilizing systemd, serving to replace or complement older authorization mechanisms. pkcheck acts as the primary command-line interface for applications and administrators to query authorization status within this modern framework, ensuring consistent privilege management across the system.

polkit(8), pkexec(1), pkaction(1), pkttyagent(1)