In the old days of CentOS 5, I had an application that ran as another user.  I created a .desktop file which ran a command that looked like this: gksu -u anotheruser someapplication When the user clicked the icon, a popup asked for the password of "anotheruser".  When the password was correct, "someapplication" started. Now in the modern days of CentOS 7, I can't find a replacement for this behaviour.  I tried beesu: beesu -l -P someapplication anotheruser but it is asking me for the root password instead of "anotheruser" password. I also tried pkexec: pkexec --user anotheruser someapplication with the same result. Both methods also have problems finding the correct display variable: Failed to parse arguments: Cannot open display: Any help will be appreciated.

I am writing a bash script that automates installation of TLauncher (Minecraft launcher) and basic dependency management on USBs running Lubuntu 18.04. Part of the bash script creates a desktop entry under /usr/share/applications for easy launch from the Lubuntu menu. Here is the entry I am using: [Desktop Entry] Encoding=UTF-8 Exec=pkexec env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY /usr/bin/java -jar -Dswing.systemlaf=javax.swing.plaf.nimbus.NimbusLookAndFeel ~/.minecraft/tlauncher.jar Icon=~/.minecraft/icons/default.png Type=Application Terminal=false Name=Minecraft GenericName=minecraft StartupNotify=false Categories=Game The command pkexec env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY /usr/bin/java -jar -Dswing.systemlaf=javax.swing.plaf.nimbus.NimbusLookAndFeel ~/.minecraft/tlauncher.jar works and does launch TLauncher if run in the terminal. However, I feel I am missing something when I put the command in the Desktop Entry. When I try to open the entry from the Lubuntu menu, the cursor shows that something is loading, but then nothing happens no matter how long I wait. I am also not sure how to debug the Desktop entry. I tried toxdg-open the entry, but I got no output in the terminal and nothing happened either -i.e, TLauncher did not launch. I tried putting the command in a separate bash file that looks like: #!/bin/bash pkexec env DISPLAY=:0 XAUTHORITY=/home/me/.Xauthority /usr/bin/java -jar -Dswing.systemlaf=javax.swing.plaf.nimbus.NimbusLookAndFeel ~/.minecraft/tlauncher.jar Running that in the terminal bash testscript.sh works and does launch TLauncher. But when I put it in the desktop entry replacing the exec from the entry above like so: Exec=/bin/bash /path/to/testscript.sh It does not work. The shell scripts have the proper permissions. I feel like either I'm writing the Desktop Entry's exec value wrong or that pkexec isn't supposed to work from a Desktop Entry the way I am trying to make it work. I would like to be able to launch TLauncher from a desktop entry via the menu and have a gui popup asking for the password in order to have the command run as root. **Edit:** Using full paths instead of ~ also yields the same result -i.e, it does not work and the above issues remain. Setting Terminal=true does not solve this for me.

pkexec is not installed by default on Debian unlike runuser which is. So far I've been using pkexec but discovered there is also runuser, and since runuser seems to be more advanced (looking at options in man entry which I don't fully understand and didn't use the command yet) so this made me think whether there is any benefit to install pkexec since runuser is already there. What pros and cons does runuser have compared to pkexec?

Ok so perhaps the basis of this question comes from my negligent understanding of a super user but here goes: I have a user that is on the sudoer list, call them user1. I can switch to this user and run commands with sudo using the password for user1. I do not, however, know the password for the user root (who is inherently on the sudoer list). I would like to be able to run pkexec in a way that requests the authentication credentials for user1 (not root). MY understanding is that the --user flag for pkexec is to run the command as that user (not request auth credentials for that user). So, how can I have pkexec request authentication credentials for user1?

I have an application foo that starts other applications (bar and baz) under the hood.  I start foo using pkexec and I have written a policy file for foo with: yes yes yes This way, it doesn't ask me for a password when I run pkexec --user \ foo.  So far, so good.  However, I recently made a change that first sets an environment var: pkexec --user env BLA=$BLA && foo.  Now I get asked for passwords for all the other applications!  I have to type the password for bar, baz and env.  I can understand why it asks it for env, but why also for the others where in the first situation (without the env) it did not prompt? I use Debian 9.4.

I have an web application that runs on a pc without a physical keyboard that is opened in chrome. I use the following command: pkexec --user google-chrome-stable --force-renderer-accessibility --app "http://my/url " This shows the right url, but does not show me the onscreen keyboard when I select a text field. If I remove the pkexec it does show me the onscreen keyboard. What can I do to make it also work with the pkexec? I use Debian 9.4 and the OSK is the gnome onscreen keyboard. I noticed that when testing with gedit iso chrome, it works fine: pkexec --user gedit Both executables have a similar policy file: Authentication is required to run Chrome Run Chrome auth_admin auth_admin auth_admin /usr/bin/google-chrome-stable TRUE It seems like the dbus calls to show the keyboard are no longer send when I use pkexec. If I look at the dbus-monitor the calls do come in when I run the command google-chrome-stable --force-renderer-accessibility --app "http://my/url " But if I add pkexec --user to the command it no longer sends dbus messages like this: method call time=1710323137.837430 sender=:1.101 -> destination=org.gnome.Caribou.Keyboard serial=2172 path=/org/gnome/Caribou/Keyboard; interface=org.gnome.Caribou.Keyboard; member=Show

I am trying to run desktop shortcut as root user, willing to see password prompt on opening shortcut. pkexec does the thing, but it doesn't change user - either i run it from terminal - it always give me a prompt for the current user who is not sudo. pkexec --user root [command] results in Authentication is needed to run [command] as the superuser, Authenticating as: mylocal-not-sudo-user How can i change user to root? (i tried gksudo, but it doesn't pop up prompt on chortcut opening)

some time ago I moved from Systemd to OpenRC. It was very different, to be able to use audio and webcam I had to add my user to the audio, optical and video group. As some software uses pkexec to be run as superuser, when I opened them (Because I use XFCE) nothing happened. When I used Systemd this didn´t happened, and it´s configured to use /usr/lib/polkit-gnome/polkit-gnome-authentication-agent-1 (which I have it installed). When I write pkexec in a terminal this is the output $ pkexec ==== AUTHENTICATING FOR org.freedesktop.policykit.exec === Authentication is required to modify fingerprint authentication data Authenticating as: (MY USERNAME) Password: polkit-agent-helper-1: error response to PolicyKit daemon: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: No session for cookie ==== AUTHENTICATION FAILED === Error executing command as another user: Not authorized This incident has been reported. I don´t know how to enable the polkit daemon/service in OpenRC, in Systemd the service it´s named "polkit". But there is ConsoleKit (what´s the difference?) which is seems to fail $ service consolekit status * status: stopped # service consolekit restart * starting consolekit . . $ service consolekit status * status: crashed My distro is Parabola (Arch Based, with the difference that is removes all the nonfree packages from the repo & Arch itself, as Arch uses Systemd, Parabola too) and I changed to OpenRC in a virtual machine, and I am testing it. Thanks in advance Other outputs $ groups wheel network video audio storage polkitd $USERNAME

The recent security bug CVE-2021-4034 in Linux involves /usr/bin/pkexec. Following media reports (zdnet, etc.) I changed its permission, but also found this file: /home/virtfs/foo/usr/bin/pkexec for cPanel user foo. I don't know why a user would have pkexec shadowed. Unfortunately we are running an outdated WHM/cPanel (with root) on outdated CentOS 6, until we can migrate the last sites off it.

If I try pkexec echo -e '\nwl2k something\n' >> /etc/ax25/axports in terminal to have a user add a line to a file, I get a bash: /etc/ax25/axports: Permission denied How do I make it so the whole command goes to pkexec - that is, ask user for sudo to make the change?

I just noticed something peculiar about how sudo handles the .Xauthority file:

-bash
sudo xauth add $(xauth list | tail -1)

user@server: sudo xauth info
Authority file:       /root/.xauthYZ21Nt
File new:             no
File locked:          no
Number of entries:    1
Changes honored:      yes
Changes made:         no
Current input:        (argv):1

user@server:  sudo xauth info
Authority file:       /root/.xauth3BFy5d
File new:             no
File locked:          no
Number of entries:    1
Changes honored:      yes
Changes made:         no
Current input:        (argv):1

user@server:  sudo xauth list
server/unix:10  MIT-MAGIC-COOKIE-1  c922ab48defdf43b1092dffb86c06eed

user@server: sudo ls -la /root | grep auth
-rw-r--r--  1 root root    0 Nov  9 14:40 .Xauthority
-rw-------  1 root root   57 Nov  9 15:23 .xauthsrxzxl

user@server:  pkexec xauth info
Authority file:       /root/.Xauthority
File new:             no
File locked:          no
Number of entries:    0
Changes honored:      yes
Changes made:         no
Current input:        (argv):1

So, $XAUTHORITY value is different in every new sudo, and it points to a temporary file which disappears when sudo quits. Because of this, the last command (which uses pkexec instead of sudo and expects it to be in /root/.Xauthority) fails to see the cookie. For instance, sudo gedit runs fine, but pkexec env DISPLAY=$DISPLAY gedit fails. Why is it done in such a complicated way, where is the data stored, and more importantly, how can I access .Xauthority data with pkexec?

I am using [Trisquel](https://trisquel.info) GNU/Linux-Libre which comes with [Gnome3 Flashback](https://wiki.gnome.org/Projects/GnomeFlashback) Desktop Environment. I know that I can run GUI application as root by sudo & gksudo but I want to know that How do I run GUI applications as root with the help of **pkexec**? When I tries to run gedit (or any other application like:nautilus) by pkexec gedit then It prompts for password for authentication:- After entering password it exit with error:- $ pkexec gedit error: XDG_RUNTIME_DIR not set in the environment. (gedit:6135): Gtk-WARNING **: cannot open display: ---------- So, It seems something is going wrong with display environment. I've also tried with DISPLAY=:0 pkexec gedit but doesn't work. ---------- Following information is available from man pkexec:- > The environment that PROGRAM will run it, will be set to a minimal > known and safe environment in order to > avoid injecting code through LD_LIBRARY_PATH or similar mechanisms. In addition the PKEXEC_UID environment > variable is set to the user id of the process invoking pkexec. As a result, pkexec will not allow you to run > X11 applications as another user since the $DISPLAY and $XAUTHORITY environment variables are not set. These > two variables will be retained if the org.freedesktop.policykit.exec.allow_gui annotation on an action is > set > to a nonempty value; this is discouraged, though, and should only be used for legacy programs. Now I don't know What to do in order to accomplish this. Thus, Help me to find out How to run GUI applications as root by means of pkexec. Or **Is this possible or not?** ---------- BTW, Inspired by gparted-pkexeccommand which works fine. How gparted use pkexec?

Oh my.. I just did a terrible mistake: chown -R root:root /usr. Mea [maxima] culpa.. I fixed sudo and pkexec already, but I want to be sure, there is no "sleeping" issue waiting on me in the future. Could anyone please find out using simple command, what files / directories have 'special' permissions? I know about /usr/bin/sudo, /usr/bin/pkexec and /usr/lib/policykit-1 only. Thanks.. I'm using Debian 11..

I just hopped to Pop!_os yesterday and pkexec executes in terminal. It also ran into the error:

polkit-agent-helper-1: error response to PolicyKit daemon: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: No session for cookie

I have a configuration in virtualbox that requires me to run the application with sudo privileges. I have been editing the .desktop file to run with sudo (note a simply changing the Exec variable to Exec=sudo virtualbox does not work even with the appropriate changes to the sudoers file): $ cat /usr/share/applications/virtualbox.desktop [Desktop Entry] Name=VirtualBox GenericName=PC virtualization solution Type=Application Exec=virtualbox %U TryExec=VirtualBox Keywords=virtualization; Keywords[de]=Virtualisierung; Keywords[ru]=виртуализация; MimeType=application/x-virtualbox-vbox;application/x-virtualbox-vbox-extpack;application/x-virtualbox-ovf;application/x-virtualbox-ova; Icon=virtualbox Categories=Emulator;System;Utility; Actions=RootManager;Manager Comment=Run several virtual systems on a single host computer Comment[de]=Mehrere virtuelle Maschinen auf einem einzigen Rechner ausführen Comment[it]=Esegui più macchine virtuali su un singolo computer Comment[ko]=가상 머신 Comment[pl]=Uruchamianie wielu systemów wirtualnych na jednym komputerze gospodarza Comment[ru]=Запуск нескольких виртуальных машин на одном компьютере Comment[sv]=Kör flera virtuella system på en enda värddator [Desktop Action Manager] Exec=virtualbox Name=Open Oracle VM Manager Name[de]=Oracle VM Manager öffnen [Desktop Action RootManager] Exec=gnome-terminal -e "bash -c 'sudo -i /usr/bin/virtualbox;'" Name=Open Manager as Admin The above works and is an ok workaround for the time being but notice that the authentication happens in the gnome-terminal. I would like to bypass this with pkexec (e.g. Exec=pkexec virtualbox) but I get the following error: ~$ pkexec virtualbox Qt WARNING: could not connect to display Qt FATAL: This application failed to start because no Qt platform plugin could be initialized. Reinstalling the application may fix this problem. Available platform plugins are: eglfs, linuxfb, minimal, minimalegl, offscreen, vnc, xcb. Aborted (core dumped) I have identified some possible culprits/solutions: - https://askubuntu.com/questions/1041588/virtualbox-not-launching-on-ubuntu-18-04-qt-lib-problem - https://unix.stackexchange.com/questions/203136/how-do-i-run-gui-applications-as-root-by-using-pkexec I have a feeling my problem is not associated so much with the first link since the application works fine without the use of pkexec. The second link adds custom actions to the freedesktop policykit which looks pretty involved but might be what I need. Any insights?

how to force "machinectl shell" or systemd-run to ask for password in terminal instead of dialog window? I can run a command as root using: machinectl shell --uid=root --setenv='DISPLAY=:1.0' --setenv=SHELL=/bin/bash .host /bin/bash -lc 'startxfce4' but it ask for the password using the dialog window I want to have the same behavior of sudo (sudo ask for the password using the terminal so I can script it easily) on way I found is using ssh like that: ssh -t MyActualNormalUser@localhost then run the same command as above: machinectl shell --uid=root --setenv='DISPLAY=:1.0' --setenv=SHELL=/bin/bash .host /bin/bash -lc 'thunar' now machinectl ask for the password using the terminal instead of the GUI dialog window! How can I achieve the same result without using ssh? is it possible to force machinectl/pkexec to ask for the password in the terminal? why not use sudo? sudo do not create a new session for the command I run , machinectl run a totally separated session which make life in scripting easier. and as I read machinectl/pkexec are the su/sudo replace if I m not wrong...

I was following a link to add Xampp server in "Show all application" section where normally we can see all GUI apps installed. But it's different in case of Xampp. We have to do things manually. So I opened the file using: pkexec nano /usr/share/applications/xampp-control-panel.desktop Because I can't use this: 007@bond:~$ pkexec gedit /usr/share/applications/xampp-control-panel.desktop Unable to init server: Could not connect: Connection refused (org.gnome.gedit:17349): Gtk-WARNING **: 20:18:25.529: cannot open display: Anyhow when I tried putting to check whether Xampp run pkexec, I got this error: 007@bond:~$ Exec=pkexec /opt/lampp/manager-linux-x64.run bash: /opt/lampp/manager-linux-x64.run: Permission denied **My questions/doubt**: 1. Isn't **pkexec** is a replacement of **gksudo**? Then why don't it works sometimes?

I was just reading the reference manual written by David Z for pkexec on freedesktop.org: https://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html and https://www.freedesktop.org/software/polkit/docs/latest/pkexec.1.html Manual says that using the auth_admin_keep option will only keep your password for 5 to 15 minutes and that if we want to set custom timeouts we have write custom rules. Would anyone know how I can go about writing a custom rules for the timeout? I tried to follow along with the manual but I'm not a coder and I wasn't being able to understand the synthax, no were there any mentions made of timeout related synthax.

With *portable* i mean an application that can be used for example for an USB drive, and don't require to 'touch' the OS file-system for run. Under Windows, I can distribute a .zip -> .exe -> .manifest file with "requestedExecutionLevel" xml tag. Portable and request password via UAC graphically. Under macOS, I can distribute a .tar.gz > .App -> key in info.plist. Portable and request password graphically. Under Linux? The correct procedure is a /usr/share/polkit-1/actions policy file and execute a binary with pkexec. But it presume an installation to write the policy file (.deb or .rpm for example) and break portability. We cannot rely on gksu/kdesu/beesu or similar, are deprecated and cannot be installed in recent distro (pkexec it's the recommended way). We cannot tell (via pkexec command-line args) a local .policy file. So, it's impossible under Linux to develop a portable application that require root privileges and GUI? Thanks for any feedback.

Are there any alternatives to using gksudo/gksu or pkexec to authenticate users in X11? The only one that comes to mind is creating a wrapper script that uses sudo to ensure my 2-factor authentication is handled, but then I'm stuck with a terminal window running while the application is running.