๐ŸŒ
Debian
packages.debian.org โ€บ sid โ€บ pkexec
Debian -- Details of package pkexec in sid
pkexec is a setuid program to allow certain users to run commands as root or as a different user, similar to sudo.
Debian Packages Search
This site provides you with information about all the packages available in the Debian Package archive ยท Please contact Debian Webmaster if you encounter any problems
List of sections in "trixie"
Limit to suite: [bullseye] [bullseye-updates] [bullseye-backports] [bookworm] [bookworm-updates] [bookworm-backports] [trixie] [trixie-updates] [trixie-backports] [forky] [sid] [experimental] ยท Limit to a architecture: [alpha] [amd64] [arm] [arm64] [armel] [armhf] [avr32] [hppa] [hurd-i386] ...
List of sections in "bookworm"
Limit to suite: [bullseye] [bullseye-updates] [bullseye-backports] [bookworm] [bookworm-updates] [bookworm-backports] [trixie] [trixie-updates] [trixie-backports] [forky] [sid] [experimental] ยท Limit to a architecture: [alpha] [amd64] [arm] [arm64] [armel] [armhf] [avr32] [hppa] [hurd-i386] ...
๐ŸŒ
Debian Manpages
manpages.debian.org โ€บ testing โ€บ pkexec โ€บ pkexec(1)
pkexec(1) โ€” pkexec โ€” Debian testing โ€” Debian Manpages
February 9, 2026 - The environment that PROGRAM will run it, will be set to a minimal known and safe environment in order to avoid injecting code through LD_LIBRARY_PATH or similar mechanisms. In addition the PKEXEC_UID environment variable is set to the user id of the process invoking pkexec.
๐ŸŒ
Debian
packages.debian.org โ€บ search
Debian -- Package Contents Search Results -- pkexec
You have searched for paths that end with pkexec in suite trixie, all sections, and all architectures.
๐ŸŒ
Debian Manpages
manpages.debian.org โ€บ experimental โ€บ policykit-1 โ€บ pkexec.1.en.html
pkexec(1) โ€” policykit-1 โ€” Debian experimental โ€” Debian Manpages
January 24, 2022 - The environment that PROGRAM will run it, will be set to a minimal known and safe environment in order to avoid injecting code through LD_LIBRARY_PATH or similar mechanisms. In addition the PKEXEC_UID environment variable is set to the user id of the process invoking pkexec.
๐ŸŒ
Debian
packages.debian.org โ€บ bookworm โ€บ pkexec
Debian -- Details of package pkexec in bookworm
pkexec is a setuid program to allow certain users to run commands as root or as a different user, similar to sudo.
๐ŸŒ
Debian Manpages
manpages.debian.org โ€บ trixie โ€บ pkexec โ€บ pkexec.1.en.html
pkexec(1) โ€” pkexec โ€” Debian trixie โ€” Debian Manpages
The environment that PROGRAM will run it, will be set to a minimal known and safe environment in order to avoid injecting code through LD_LIBRARY_PATH or similar mechanisms. In addition the PKEXEC_UID environment variable is set to the user id of the process invoking pkexec.
๐ŸŒ
Debian
packages.debian.org โ€บ pkexec
Debian -- Package Search Results -- pkexec
JavaScript is disabled in your browser ยท Please enable JavaScript to proceed ยท A required part of this site couldnโ€™t load. This may be due to a browser extension, network issues, or browser settings. Please check your connection, disable any ad blockers, or try using a different browser
๐ŸŒ
Debian Manpages
manpages.debian.org โ€บ bookworm โ€บ pkexec โ€บ pkexec.1.en.html
pkexec(1) โ€” pkexec โ€” Debian bookworm โ€” Debian Manpages
The environment that PROGRAM will run it, will be set to a minimal known and safe environment in order to avoid injecting code through LD_LIBRARY_PATH or similar mechanisms. In addition the PKEXEC_UID environment variable is set to the user id of the process invoking pkexec.
๐ŸŒ
Debian Manpages
manpages.debian.org โ€บ unstable โ€บ pkexec โ€บ pkexec.1.en.html
pkexec(1) โ€” pkexec โ€” Debian unstable โ€” Debian Manpages
January 17, 2025 - The environment that PROGRAM will run it, will be set to a minimal known and safe environment in order to avoid injecting code through LD_LIBRARY_PATH or similar mechanisms. In addition the PKEXEC_UID environment variable is set to the user id of the process invoking pkexec.
๐ŸŒ
Debian Manpages
manpages.debian.org โ€บ testing โ€บ policykit-1 โ€บ pkexec.1.en.html
pkexec(1) โ€” policykit-1 โ€” Debian testing โ€” Debian Manpages
January 26, 2022 - The environment that PROGRAM will run it, will be set to a minimal known and safe environment in order to avoid injecting code through LD_LIBRARY_PATH or similar mechanisms. In addition the PKEXEC_UID environment variable is set to the user id of the process invoking pkexec.
Find elsewhere
๐ŸŒ
Installati.one
installati.one โ€บ home โ€บ how to install pkexec on debian 12
How To Install pkexec on Debian 12 | Installati.one
June 10, 2023 - Learn how to install pkexec on Debian 12 with this tutorial. pkexec is run commands as another user with polkit authorization
๐ŸŒ
Debian Manpages
manpages.debian.org โ€บ stretch โ€บ policykit-1 โ€บ pkexec(1)
pkexec(1) โ€” policykit-1 โ€” Debian stretch โ€” Debian Manpages
December 6, 2018 - The environment that PROGRAM will run it, will be set to a minimal known and safe environment in order to avoid injecting code through LD_LIBRARY_PATH or similar mechanisms. In addition the PKEXEC_UID environment variable is set to the user id of the process invoking pkexec.
๐ŸŒ
Debian Manpages
manpages.debian.org โ€บ buster โ€บ policykit-1 โ€บ pkexec.1.en.html
pkexec(1) โ€” policykit-1 โ€” Debian buster โ€” Debian Manpages
January 15, 2019 - The environment that PROGRAM will run it, will be set to a minimal known and safe environment in order to avoid injecting code through LD_LIBRARY_PATH or similar mechanisms. In addition the PKEXEC_UID environment variable is set to the user id of the process invoking pkexec.
๐ŸŒ
GitHub
github.com โ€บ sezanzeb โ€บ input-remapper โ€บ issues โ€บ 878
GUI not starting due to missing `pkexec` (Debian 12 KDE) ยท Issue #878 ยท sezanzeb/input-remapper
April 24, 2024 - Apr 24 17:11:25 debian plasmashell[15208]: input-remapper-gtk 2.0.1 f5151aab27ae0e7d8b1f0c80ce92a718e3a86e71 https://github.com/sezanzeb/input-remapper Apr 24 17:11:25 debian plasmashell[15208]: python-evdev 1.6.1 Apr 24 17:11:25 debian plasmashell[15208]: Creating dir "/tmp/input-remapper-watty" Apr 24 17:11:25 debian plasmashell[15213]: sh: 1: pkexec: not found Apr 24 17:11:25 debian plasmashell[15208]: ERROR: Failed to pkexec the reader-service, code 32512
Author ย  sezanzeb
Top answer
1 of 2
3

The two tools are different to the point that they are not really interchangeable for most use cases, so it only barely makes sense to have a 'vs' comparison between them. (It would make more sense to compare pkexec vs sudo, or su vs runuser, or pkexec vs run0.)

Code-wise, runuser is practically a copy of util-linux's su, only slightly adapted to be more suitable for use in scripts that generally run as root but need to call some specific command as a different user. (For example, runuser uses a different set of PAM configurations than su, allowing it to be exempt from things like systemd-logind which are often desired for interactive su but would be extremely counter-productive for scripted su.)

The most visible difference between your two commands is that pkexec is usually installed "setuid root" (just like sudo or su), meaning it can function when run from a regular user account โ€“ but runuser is usually not installed that way, and in fact specifically refuses to work when run by a non-root user.

This essentially places runuser opposite pkexec, as the latter is meant almost exclusively to raise privileges to root, whereas runuser is only able to lower them from root.

In a similar way, pkexec is designed almost exclusively for interactive desktop use (with PolicyKit prompting the user for admin authentication) while runuser is designed for batch use by root (which would be exempt from such authentication) and therefore doesn't even have the ability to prompt for that.

The only overlap between them is that it is possible for root to call pkexec --user XYZ which will switch to that user without doing the PolicyKit checks (although still contacting polkitd), in which case it has almost no advantages over runuser.

2 of 2
1

pkexec and runuser are both Linux utilities for executing commands as a different user, BUT:

  • pkexec made for desktop user who needs to temporarily run a command as root with proper authorization. Or need auditable, policy-controlled privilege escalation.

  • And runuser is useful when you are root and need to drop privileges to run a command as another user.(Note that it is non-interactive & scriptable user context switching)

Top answer
1 of 3
58

How to configure pkexec to avoid getting errors when run GUI applications?

I found two possible ways:

  1. As you can see, using the following:

    pkexec env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY gedit
    

    will not get you any error. And this is normal because man pkexec is very clear in this matter:

           [...] pkexec will not allow you to run X11 applications
           as another user since the $DISPLAY and $XAUTHORITY environment
           variables are not set.[...]
    

    As result you can create an (permanent) alias (this is the simpliest way):

    alias pkexec='pkexec env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY'
    
  2. Or, (again) as man pkexec says:

           [...] These two variables will be retained if the
           org.freedesktop.policykit.exec.allow_gui annotation on an action is set
           to a nonempty value; this is discouraged, though, and should only be
           used for legacy programs.[...]
    

    you can create a new policy file in /usr/share/polkit-1/actions named com.ubuntu.pkexec.gedit.policy with the following xml code inside where the most important thing is to set org.freedesktop.policykit.exec.allow_gui to a nonempty value:

    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE policyconfig PUBLIC
      "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
      "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
    <policyconfig>
    
      <action id="com.ubuntu.pkexec.gedit">
        <message gettext-domain="gparted">Authentication is required to run gedit</message>
        <icon_name>gedit</icon_name>
        <defaults>
          <allow_any>auth_admin</allow_any>
          <allow_inactive>auth_admin</allow_inactive>
          <allow_active>auth_admin</allow_active>
        </defaults>
        <annotate key="org.freedesktop.policykit.exec.path">/usr/bin/gedit</annotate>
        <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>
      </action>
    
    </policyconfig>
    

How to tell it to not ask for a password after the first time applying it to a command?

For these three setting tags: allow_any, allow_inactive and allow_active from the policy file, the following options are available:

  • no: The user is not authorized to carry out the action. There is therefore no need for authentication.
  • yes: The user is authorized to carry out the action without any authentication.
  • auth_self: Authentication is required but the user need not be an administrative user.
  • auth_admin: Authentication as an administrative user is require.
  • auth_self_keep: The same as auth_self but, like sudo, the authorization lasts a few minutes.
  • auth_admin_keep: The same as auth_admin but, like sudo, the authorization lasts a few minutes.

     Source: Polkit - Structure - Actions

So, if you use auth_admin_keep option (or, as applicable, auth_self_keep), pkexec will not ask for a password again for some time (by default this time is set to 5 minutes as I checked). The disadvantage here is that this thing is applicable only for one - the same - command / application and valid for all users (unless if it is overruled in later configuration).

Where to save the configuration file if not yet existing?

Configuration files or polkit definitions can be divided into two kinds:

  • Actions are defined in XML .policy files located in /usr/share/polkit-1/actions. Each action has a set of default permissions attached to it (e.g. you need to identify as an administrator to use the GParted action). The defaults can be overruled but editing the actions files is NOT the correct way. The name of this policy file should have this format:

    com.ubuntu.pkexec.app_name.policy
  • Authorization rules are defined in JavaScript .rules files. They are found in two places: 3rd party packages can use /usr/share/polkit-1/rules.d (though few if any do) and /etc/polkit-1/rules.d is for local configuration. The .rules files designate a subset of users, refer to one (or more) of the actions specified in the actions files and determine with what restrictions these actions can be taken by that/those user(s). As an example, a rules file could overrule the default requirement for all users to authenticate as an admin when using GParted, determining that some specific user doesn't need to. Or isn't allowed to use GParted at all.

     Source: Polkit - Structure

Is there a GUI application to configure pkexec usage?

From what I know, until now (18.01.2014) doesn't exist something like this. If in the future I will find something, I will not forget to update this answer too.

2 of 3
2

In addition to Radu's answer: I would not use the alias pkexec, but gksudo.

Why? You don't need to rewrite your script.

I use the following configuration:

  • open a terminal
  • cd /usr/local/bin
  • sudo gedit gksudo (create new file called "gksudo"
  • write the following content:

    • pkexec env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY $@

    • (don't forget the $@ at the end. This is for redirecting all parameters)

  • save and quit

  • make the file executable: chmod 755 gksudo
  • Now you should have a fully functional gksudo command available on your system - permanently.

For documentation reasons, I will write, what I tried and didn't work out:

  • alias pkexec='pkexec env [...]'
  • alias gksudo='pkexec [...]'
    • Was not permanent and did only stay in one single terminal
  • adding the alias to ~/.bash_aliases
    • Works if you first open a terminal. Does not work, if you doubleclick scripts
  • Create a link to pkexec with parameters ( ln -s pkexec [...])
    • After a quick googleing, it seems like linux doesn't support parameters in links
Top answer
1 of 3
23

It can be done by adding custom actions to policykit. If you want to run gedit as root with pkexec you have to create new file /usr/share/polkit-1/actions/org.freedesktop.policykit.gedit.policy for example:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
 "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
<policyconfig>
    <action id="org.freedesktop.policykit.pkexec.gedit">
    <description>Run gedit program</description>
    <message>Authentication is required to run the gedit</message>
    <icon_name>accessories-text-editor</icon_name>
    <defaults>
        <allow_any>auth_admin</allow_any>
        <allow_inactive>auth_admin</allow_inactive>
        <allow_active>auth_admin</allow_active>
    </defaults>
    <annotate key="org.freedesktop.policykit.exec.path">/usr/bin/gedit</annotate>
    <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>
    </action>
</policyconfig>

Finally pkexec gedit should work as expected.


Visit manpage or Reference Manual which explains it with EXAMPLE like:-

$ man pkexec | grep -i ^Example -A 60
EXAMPLE
       To specify what kind of authorization is needed to execute the program /usr/bin/pk-example-frobnicate as
       another user, simply write an action definition file like this

           <?xml version="1.0" encoding="UTF-8"?>
           <!DOCTYPE policyconfig PUBLIC
            "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
            "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
           <policyconfig>

             <vendor>Examples for the PolicyKit Project</vendor>
             <vendor_url>http://hal.freedesktop.org/docs/PolicyKit/</vendor_url>

             <action id="org.freedesktop.policykit.example.pkexec.run-frobnicate">
               <description>Run the PolicyKit example program Frobnicate</description>
               <description xml:lang="da">Kรธr PolicyKit eksemplet Frobnicate</description>
               <message>Authentication is required to run the PolicyKit example program Frobnicate (user=$(user), program=$(program), command_line=$(command_line))</message>
               <message xml:lang="da">Autorisering er pรฅkrรฆvet for at afvikle PolicyKit eksemplet Frobnicate (user=$(user), program=$(program), command_line=$(command_line))</message>
               <icon_name>audio-x-generic</icon_name>
               <defaults>
                 <allow_any>no</allow_any>
                 <allow_inactive>no</allow_inactive>
                 <allow_active>auth_self_keep</allow_active>
               </defaults>
               <annotate key="org.freedesktop.policykit.exec.path">/usr/bin/pk-example-frobnicate</annotate>
             </action>

           </policyconfig>

       and drop it in the /usr/share/polkit-1/actions directory under a suitable name (e.g. matching the namespace of
       the action). Note that in addition to specifying the program, the authentication message, description, icon
       and defaults can be specified. Note that occurences of the strings $(user), $(program) and $(command_line) in
       the message will be replaced with respectively the user (of the form "Real Name (username)" or just "username"
       if there is no real name for the username), the binary to execute (a fully-qualified path, e.g.
       "/usr/bin/pk-example-frobnicate") and the command-line, e.g. "pk-example-frobnicate foo bar". For example, for
       the action defined above, the following authentication dialog will be shown:

           [IMAGE][2]

               +----------------------------------------------------------+
               |                     Authenticate                     [X] |
               +----------------------------------------------------------+
               |                                                          |
               |  [Icon]  Authentication is required to run the PolicyKit |
               |          example program Frobnicate                      |
               |                                                          |
               |          An application is attempting to perform an      |
               |          action that requires privileges. Authentication |
               |          is required to perform this action.             |
               |                                                          |
               |          Password: [__________________________________]  |
               |                                                          |
               | [V] Details:                                             |
               |  Command: /usr/bin/pk-example-frobnicate                 |
               |  Run As:  Super User (root)                              |
               |  Action:  org.fd.pk.example.pkexec.run-frobnicate        |
               |  Vendor:  Examples for the PolicyKit Project             |
               |                                                          |
               |                                  [Cancel] [Authenticate] |
               +----------------------------------------------------------+
2 of 3
16

For me, with Ubuntu, to run hardinfo as root,

pkexec env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY hardinfo

works well. This tips is from nany (french Ubuntu forum).