Home

pkexec

pkexec is a command-line utility that executes programs with elevated privileges, typically as the root user, under the control of the PolicyKit (polkit) authorization framework. It is part of the polkit package and serves as a modern alternative to tools like sudo or gksudo in many desktop environments. When invoked, pkexec consults polkit to determine whether the current user is allowed to run the requested program and, if authorized, launches the command with elevated privileges.

The authorization decision is governed by polkit policy files. The relevant action is usually org.freedesktop.policykit.exec, which

Environment handling and usage notes are important when using pkexec. By design, pkexec sanitizes the environment

Security considerations include ensuring correct polkit policies and avoiding reliance on PATH to locate executables. Use

maps
to
a
policy
that
grants
or
denies
execution
based
on
user
identity,
group
membership,
session,
and
other
factors
defined
in
policy
files
found
in
/usr/share/polkit-1/actions
and
/etc/polkit-1/rules.d.
If
no
policy
allows
the
action,
pkexec
will
report
that
the
operation
is
not
authorized
and
exit.
and
does
not
preserve
the
caller’s
PATH
or
HOME
to
reduce
privilege-escalation
risks.
To
run
a
particular
program
reliably,
supply
its
absolute
path
and,
if
necessary,
wrap
the
command
with
env
to
pass
required
variables
(for
graphical
applications
you
may
need
to
forward
DISPLAY
and
XAUTHORITY).
pkexec
with
trusted
commands
and
be
aware
that
authentication
prompts
come
from
a
polkit
authentication
agent,
rather
than
a
traditional
root
password
prompt.
pkexec
differs
from
sudo
in
that
its
authorization
model
is
centralized
in
polkit
policies
rather
than
per-user
password
authentication.