polkit

pkexec [--user user] [--disable-internal-agent] [--version] [--help] PROGRAM [ARGUMENTS...]

--user user
    Execute PROGRAM as the specified user instead of the default (root).

PROGRAM
    The command or executable to run with elevated privileges.

ARGUMENTS...
    Optional arguments passed directly to the PROGRAM being executed.

--disable-internal-agent
    Prevents pkexec from using its internal authentication agent. Useful for debugging or specific environments where an external agent is guaranteed to be running.

--version
    Display the pkexec version information and exit.

--help
    Show a brief help message and exit.

Polkit (formerly PolicyKit) is an application programming interface (API) for defining and handling authorizations for unprivileged applications to use privileged system services. While Polkit itself is a framework, pkexec is the primary command-line utility used by end-users and applications to interact with Polkit for privilege elevation. It allows an authorized user to execute a program as another user (by default, the superuser, root), similar in functionality to sudo, but leveraging Polkit's fine-grained policy system.

Unlike sudo, which relies on a static configuration file (/etc/sudoers), pkexec consults the polkitd daemon to determine if the calling process is authorized to perform the requested action. This authorization is based on policies defined in configuration files, often allowing for more specific and contextual rules. For instance, a policy might allow a user to perform a specific action (e.g., mount a filesystem) without granting full root access. Authentication, if required by the policy, is handled by an authentication agent (like pkttyagent for the console or a graphical agent), which prompts the user for credentials.

Security Configuration: The security of pkexec largely depends on correctly configured Polkit policies. Misconfigurations can lead to unauthorized privilege escalation.
Environment Variables: For security, pkexec sanitizes the environment, passing only a safe, minimal set of environment variables to the executed program. This can sometimes cause issues for programs that rely on specific environment variables (e.g., PATH differences or custom library paths).
Authentication Agents: pkexec requires an active Polkit authentication agent (e.g., pkttyagent for TTY, or a graphical agent for desktop environments) to prompt for credentials if authentication is required by the policy. If no agent is available, authentication requests will fail.

Polkit is a system service that provides a centralized mechanism for managing policy. It allows applications to declare actions (e.g., org.freedesktop.udisks2.filesystem-mount), and the polkitd daemon evaluates requests for these actions based on a set of rules. These rules are typically defined in JavaScript files (.rules.d) or older .pkla files, determining whether an action is allowed, requires authentication, or is explicitly denied for a given user or group. This separation of authorization logic from the application code enhances security and flexibility.

While both pkexec and sudo allow users to execute commands with elevated privileges, they operate on different principles. sudo primarily relies on static configurations in /etc/sudoers, granting users permission to run specific commands as root or other users. pkexec, conversely, uses Polkit policies which can be far more dynamic and contextual, allowing for fine-grained control over specific actions (e.g., mount a particular device, change a specific network setting). This makes pkexec particularly well-suited for graphical applications and modern desktop environments where precise authorization is preferred over blanket root access.

Polkit (originally PolicyKit) was developed by David Zeuthen at Red Hat, with its initial releases around 2007. It emerged as a response to the growing need for a more granular and flexible authorization system in desktop Linux environments, distinct from traditional methods like sudo which often grant broad root access. pkexec was introduced as the primary command-line interface for users and applications to request elevated privileges through the Polkit framework, aiming to provide a safer and more policy-driven alternative for specific system actions.

pkaction(1), pkcheck(1), pkttyagent(1), polkit(8), sudo(8), su(1)