pkexec

Run command as root

$ pkexec [command]

$ pkexec

$ pkexec --user [username] [command]

pkexec [--user USER] [--keep-environment] [--disable-internal-agent] PROGRAM [ARGUMENTS...]
pkexec [--version | --help]

--user USER
    Execute the specified PROGRAM as the given USER. If omitted, the default target user is root.

--keep-environment
    Retain the original environment variables of the calling user. By default, pkexec cleans the environment for security reasons.

--disable-internal-agent
    Prevent pkexec from using its built-in password authentication agent. This can be useful if an external agent is preferred or required.

--version
    Display the version information of pkexec and exit.

--help
    Show a help message describing command usage and options, then exit.

pkexec is a command-line utility designed to execute commands as another user, typically the superuser (root), leveraging the PolicyKit (polkit) authorization framework. Unlike traditional tools like sudo which rely on configuration files (e.g., /etc/sudoers) to define privileges, pkexec defers authorization decisions to the polkit daemon.

This allows for a more fine-grained and centralized control over system privileges. Policies are defined by action IDs (e.g., org.freedesktop.policykit.exec for executing commands) and can specify who is allowed to perform an action, under what conditions, and if authentication (like a password) is required. When pkexec is invoked, it communicates with the polkit daemon, which evaluates the request against configured policies. If authorization is granted, the specified command is executed with the target user's privileges.

pkexec is commonly used in graphical environments by desktop applications that need to perform privileged operations, often presenting a graphical password prompt provided by a polkit authentication agent. This makes it a crucial component for secure privilege escalation in modern Linux desktop environments.

pkexec relies entirely on the PolicyKit daemon for authorization. If the polkitd service is not running or properly configured, pkexec will fail to execute commands.

Policy definitions are complex and typically managed via .policy files in /usr/share/polkit-1/actions/ and local overrides in /etc/polkit-1/localauthority/. Misconfigured policies can lead to unintended privilege escalations or deny legitimate operations.

While generally secure, historical vulnerabilities (e.g., CVE-2021-4034, "PwnKit") in polkit and pkexec have demonstrated the importance of keeping the system updated to patch such critical issues.

pkexec's authorization is driven by 'actions' defined in polkit policy files. Each action has an ID (e.g., org.freedesktop.policykit.exec for executing commands) and specifies default authorization rules (e.g., auth_admin_keep requiring administrator authentication). These rules can be overridden by local configuration, allowing system administrators to precisely define who can run what and under what conditions.

When an action requires authentication, pkexec attempts to locate an active polkit authentication agent. In graphical environments, this typically presents a dialog box for password entry. If no graphical agent is available, pkexec can fall back to its internal agent for a TTY-based password prompt, unless disabled by --disable-internal-agent.

pkexec is an integral part of the PolicyKit (now known as polkit) project, which was initiated by Havoc Pennington at Red Hat around 2008. The goal of polkit was to provide a centralized, standardized, and secure way for non-privileged applications to interact with privileged system services, especially in desktop environments. It aimed to address limitations of traditional sudo setups for graphical applications and provide more granular control over permissions. pkexec was developed as the command-line client for this framework, allowing direct execution of commands subject to polkit policies, evolving with the polkit framework itself over the years.

sudo(8), su(1), polkit(8), polkitd(8)