The point is that pkexec uses different mechanisms for authorization and authentication. Authentication is how you prove who you are. Authorization is the rules that determine what you can do. Sudo relies on traditional Unix discretionary access controls for authentication. These consist of your user's UID, GID, and password. So you can configure sudo to authenticate users based on their user, group membership, and/or passwords. Sudo relies on sudoers files for determining authorization. You put in there rules on what commands can be executed as what user, whether they require a password, and so on and so forth. Sudo is most useful in situations were you want to be able to log root access to particular users. Giving sudo access to the command is pretty much the same as granting them root access. Instead of them logging in as root using root's password (which doesn't give you a indication of who they are), they have to execute sudo which creates a log entry that indicates when and who executed a particular command. It isn't really useful in strongly limiting root access since it is usually trivial for a attacker to trick programs into giving them full root access. Thus limiting what commands they can execute is more of just a way to limit accidental foot-shooting. Of course you can use sudo to grant access from one user account to another, but it is less commonly used for that. Pkexec, on the other hand, adds sudo-like CLI features to Polkit (formally known as policykit). The point of polkit is mostly for authentication/authorizing users to communicate between processes. Like if you are on your desktop and you plug in a USB drive... does your user have the right to have the desktop environment automatically mount the drive for you? So when you plug in a USB drive the udev system sends a notification out over DBUS that a drive was plugged in. Your Desktop Environment daemons (KDE or Gnome or whatever) receive the dbus message and then sends a request to udisk daemon running as root to mount the drive on their behalf. Polkit provides the policy mechanism to determine if your user is authorized to perform that action. So it regulates the interact between your DE and udisk. Polkit policies are a lot more fine grained then sudoer rules and can make decisions based on context. Like if you are logged over SSH you can have a different set of rules then if you are logged directly into the machine. This is generally considered a lot more secure then using sudo for mounting because it doesn't require using root to execute commands. Instead you are sending requests to privileged daemons and they decide whether or not to actually perform the action. Pkexec then allows you to use polkit rules instead of sudo for doing sudo-like stuff. You lose a lot of the security benefits, but it does allow people to only have to rely on a single policy source. I don't think that it is very commonly used, though. Answer from natermer on reddit.com
Linux Man Pages
linux.die.net › man › 1 › pkexec
pkexec(1): Execute command as another user - Linux man page
pkexec allows an authorized user to execute PROGRAM as another user. If username is not specified, then the program will be executed as the administrative super user, root.
Reddit
reddit.com › r/linux › what does pkexec actually do?
r/linux on Reddit: What does pkexec actually do?
September 7, 2025 -
I just figured out pkexec. What’s the actual point of pkexec when sudo already exists? Does pkexec serve some deeper purpose tied to PolicyKit and GUI app authentication? Can't I use sudo to do the work of pkexec?
Top answer 1 of 6
114
The point is that pkexec uses different mechanisms for authorization and authentication. Authentication is how you prove who you are. Authorization is the rules that determine what you can do. Sudo relies on traditional Unix discretionary access controls for authentication. These consist of your user's UID, GID, and password. So you can configure sudo to authenticate users based on their user, group membership, and/or passwords. Sudo relies on sudoers files for determining authorization. You put in there rules on what commands can be executed as what user, whether they require a password, and so on and so forth. Sudo is most useful in situations were you want to be able to log root access to particular users. Giving sudo access to the command is pretty much the same as granting them root access. Instead of them logging in as root using root's password (which doesn't give you a indication of who they are), they have to execute sudo which creates a log entry that indicates when and who executed a particular command. It isn't really useful in strongly limiting root access since it is usually trivial for a attacker to trick programs into giving them full root access. Thus limiting what commands they can execute is more of just a way to limit accidental foot-shooting. Of course you can use sudo to grant access from one user account to another, but it is less commonly used for that. Pkexec, on the other hand, adds sudo-like CLI features to Polkit (formally known as policykit). The point of polkit is mostly for authentication/authorizing users to communicate between processes. Like if you are on your desktop and you plug in a USB drive... does your user have the right to have the desktop environment automatically mount the drive for you? So when you plug in a USB drive the udev system sends a notification out over DBUS that a drive was plugged in. Your Desktop Environment daemons (KDE or Gnome or whatever) receive the dbus message and then sends a request to udisk daemon running as root to mount the drive on their behalf. Polkit provides the policy mechanism to determine if your user is authorized to perform that action. So it regulates the interact between your DE and udisk. Polkit policies are a lot more fine grained then sudoer rules and can make decisions based on context. Like if you are logged over SSH you can have a different set of rules then if you are logged directly into the machine. This is generally considered a lot more secure then using sudo for mounting because it doesn't require using root to execute commands. Instead you are sending requests to privileged daemons and they decide whether or not to actually perform the action. Pkexec then allows you to use polkit rules instead of sudo for doing sudo-like stuff. You lose a lot of the security benefits, but it does allow people to only have to rely on a single policy source. I don't think that it is very commonly used, though.
2 of 6
31
It uses the desktop's password prompt thingy instead of asking in the terminal like sudo does. I guess it's intended for use with the desktop app launcher where you don't have a terminal.
pkexec
Have you tried creating a script with those commands and calling it with "awful.spawn("yourscript", false)" ? Also would this be better with easy_async? No. Unless you need output from the command, which I'm assuming doesn't output anything More on reddit.com
`pkexec` as a drop in replacement for `sudo`
It's two additional characters. That's never good.
More on reddit.compwnkit: Local Privilege Escalation in polkit's pkexec (CVE-2021-4034)
Sounds fun. Not seeing any updates available for CentOS or Debian yet EDIT: There is working PoC code now available - https://github.com/ly4k/PwnKit/blob/main/PwnKit.c More on reddit.com
pwnkit: Local Privilege Escalation in polkit's pkexec (CVE-2021-4034)
Tried the exploit on my two Linux machines, one is Fedora Workstation 35, updated two days ago. The other is Parrot OS Security, updated just right now. Funny to see that Fedora is not vulnerable to it, while the security focused ParrotOS is being affected. More on reddit.com
Videos
Exploiting Polkit pkexec LPE Vulnerability (CVE-2021-4034 ...
36:15
make pkexec work properly without a DE (and the world a better ...
13:01
Synaptic no funciona en BSPWM [Polkit - pkexec] Debian 12 Bookworm ...
05:41
Live Local Privilege Escalation on Kali Linux - Polkit's Pkexec ...
04:07
Linux Privilege Escalation Vulnerability in Polkit’s pkexec | ...
16:03
PwnKit - Explotando PKEXEC en LINUX (CVE-2021-4034) - Escalamiento ...
GitHub
github.com › ly4k › PwnKit
GitHub - ly4k/PwnKit: Self-contained exploit for CVE-2021-4034 - Pkexec Local Privilege Escalation · GitHub
Starred by 1.3K users
Forked by 207 users
Languages C 90.3% | Makefile 5.5% | Shell 4.2%
freedesktop.org
freedesktop.org › software › polkit › docs › latest › pkexec.1.html
pkexec: polkit Reference Manual
The environment that PROGRAM will run it, will be set to a minimal known and safe environment in order to avoid injecting code through LD_LIBRARY_PATH or similar mechanisms. In addition the PKEXEC_UID environment variable is set to the user id of the process invoking pkexec.
Debian
packages.debian.org › sid › pkexec
Debian -- Details of package pkexec in sid
pkexec is a setuid program to allow certain users to run commands as root or as a different user, similar to sudo.
Arch Linux Man Pages
man.archlinux.org › man › pkexec.1.en
pkexec(1) — Arch manual pages
Upon successful completion, the return value is the return value of PROGRAM. If the calling process is not authorized or an authorization could not be obtained through authentication or an error occurred, pkexec exits with a return value of 127.
Oracle
docs.oracle.com › cd › E88353_01 › html › E37839 › pkexec-1.html
pkexec - man pages section 1: User Commands
July 27, 2022 - If the authorization could not be obtained because the user dismissed the authentication dialog, pkexec exits with a return value of 126. AUTHENTICATION AGENT pkexec, like any other polkit application, will use the authentication agent registered for the calling process or session.
Rapid7
rapid7.com › db › modules › exploit › linux › local › cve_2021_4034_pwnkit_lpe_pkexec
Local Privilege Escalation in polkits pkexec
March 3, 2022 - A bug exists in the polkit pkexec binary in how it processes arguments. If the binary is provided with no arguments, it will continue to process environment variables as argument variables, but without any security checking. By using the execve call we can specify a null argument list and populate the proper environment variables.
New York Office of Information Technology Services
its.ny.gov › 2022-014
A Vulnerability in Polkit's pkexec Component Could Allow For Local Privilege Escalation | Office of Information Technology Services
January 26, 2022 - A vulnerability in Polkit's pkexec component could allow for local privilege escalation. Polkit (formerly PolicyKit) is a component for controlling system-wide privileges in Unix-like operating systems. It provides an organized way for non-privileged processes to communicate with privileged ones.
University of Michigan Safecomputing
safecomputing.umich.edu › security-alerts › apply-patches-linux-systems-policykit-package
Apply patches to Linux systems with policykit package | safecomputing.umich.edu
January 26, 2022 - Polkit (formerly PolicyKit) is a component for controlling system-wide privileges in Unix-like operating systems. The pkexec program could be used by local attackers to increase privileges to root on default installations of Ubuntu, Debian, Fedora, and CentOS.
YouTube
youtube.com › andy li
PwnKit - Linux Local Privilege Escalation - Polkit Pkexec (CVE-2021-4034) - YouTube
A new privilege escalation exploit, nicknamed PwnKit, that works reliably on all major unpatched Linux distros.Qualys writeup:https://www.qualys.com/2022/01/...
Published January 27, 2022 Views 9K
NIST
nvd.nist.gov › vuln › detail › cve-2021-4034
NVD - cve-2021-4034
This is a potential security issue, you are being redirected to https://nvd.nist.gov · Official websites use .gov A .gov website belongs to an official government organization in the United States
Qualys
qualys.com › 2022 › 01 › 25 › cve-2021-4034 › pwnkit.txt
pwnkit: Local Privilege Escalation in polkit's pkexec
January 25, 2022 - It provides an organized way for non-privileged processes to communicate with privileged ones. [...] It is also possible to use polkit to execute commands with elevated privileges using the command pkexec followed by the command intended to be executed (with root permission)." (Wikipedia)
Gtfobins
gtfobins.org › gtfobins › pkexec
pkexec | GTFOBins
Living off the land using "pkexec".
YouTube
youtube.com › watch
Privilege Escalation Hack: Exploiting pkexec Vulnerability for Root Access! - YouTube
Join this channel to get access to perks:https://www.youtube.com/channel/UCHwmo9eIoncEizU8NB-xtRQ/joinJoin here for learning https://pentesterclub.com🔥 In t...
Published April 3, 2025