10

Please provide Ubuntu documentation that refutes this: https://help.ubuntu.com/community/RootSudo Why, on my fully updated 13.04 system, does pkexec not function?

$ pkexec gedit somefile.txt
No protocol specified

** (gedit:13135): WARNING **: Could not open X display
Cannot open display: 
Run '/usr/bin/gedit --help' to see a full list of available command line options
chili555
  • 58,968
  • 8
  • 93
  • 129
  • [For 13.04+ one major reason is that gksu isn't in the default load-out](http://meta.askubuntu.com/questions/6634/psa-gksu-is-no-longer-installed-by-default). – Oli Jun 28 '13 at 12:10
  • pkexec isn't a drop in replacement for gksu. It is not intended for you to manually run like that. – psusi Jun 28 '13 at 13:40
  • 2
    I didn't ask about nor mention gksu. – chili555 Jun 28 '13 at 14:33
  • A very good answer about making `pkexec` run GUI without configuring: http://askubuntu.com/a/332847/89385 – akostadinov Jan 14 '16 at 08:47
  • Install policykit-1-gnome. See [here](https://askubuntu.com/questions/162011/pkexec-wont-launch-polkit-gui-in-lubuntu-lxde/450559#450559) for details and explanation. – user303371 Dec 10 '17 at 01:46

1 Answers1

8

Why it doesn't work?

By default pkexec does not allow you to run graphical (X11) applications. From the man page:

The environment that PROGRAM will run it, will be set to a minimal known and safe environment in order to avoid injecting code through LD_LIBRARY_PATH or similar mechanisms. In addition the PKEXEC_UID environment variable is set to the user id of the process invoking pkexec. As a result, pkexec will not allow you to run X11 applications as another user since the $DISPLAY and $XAUTHORITY environment variables are not set. These two variables will be retained if the org.freedesktop.policykit.exec.allow_gui annotation on an action is set to a nonempty value; this is discouraged, though, and should only be used for legacy programs.

As stated in the man page, you can make it work albeit I really don't know if this is somehow dangerous or recommended.

To enable gedit for example you can create /usr/share/polkit-1/actions/com.ubuntu.gedit.policy with the following content:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
 "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">
<policyconfig>
  <vendor>gedit</vendor>
  <vendor_url>gedit</vendor_url>
  <icon_name>accessories-text-editor</icon_name>
  <action id="org.freedesktop.policykit.pkexec.gedit">
   <description>Run "gedit"</description>
   <message>Authentication is required to run Text Editor</message>
   <defaults>
     <allow_any>auth_admin</allow_any>
     <allow_inactive>auth_admin</allow_inactive>
     <allow_active>auth_admin</allow_active>
   </defaults>
     <annotate key="org.freedesktop.policykit.exec.path">/usr/bin/gedit</annotate>
     <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>
   </action>  
</policyconfig>

Then pkexec gedit should work as expected:

screenshot

As you can guess, this will only make gedit work. In theory, if you added allow_gui to "org.freedesktop.policykit.exec" (the default action) this should work for all applications, but in my tests I got the same result as yours.

Why is pkexec preferred?

Here you can find a discussion about the strengths of pkexec.

Pablo Bianchi
  • 14,308
  • 4
  • 74
  • 117
Salem
  • 19,604
  • 6
  • 62
  • 90
  • 3
    So, for graphical applications, is gksudo preferred and NOT pkexec? – chili555 Jun 28 '13 at 15:29
  • 1
    I guess so. If `gksudo` is available, it is a lot easier to use it instead of create single actions to each app you need to use (if there is not a "global" way to do it). – Salem Jun 28 '13 at 16:52
  • 1
    @Salem- Then I wonder why my answer was edited and approved to use pkexec when it is not intended to be used for graphical applications and, as you can read, didn't work. http://askubuntu.com/questions/313619/resolvedcould-not-save-the-file-usr-permission-denied-13-04/313625#313625 There must be something I don't understand. – chili555 Jun 28 '13 at 19:30
  • @chili555 If that edit was what motivated your question you should ask this at Meta. In 13.04 you either have to install `gksudo` or configure `pkexec` (you can also use `sudo -i` but that will not work with Alt+F2 aka "Run"). I find the first MUCH easier. If anyone thinks otherwise well... To me seems wrong to suggest something that will not work as intended, but I may be missing something... – Salem Jun 28 '13 at 20:45
  • You and me both. I will ask in Meta. – chili555 Jun 28 '13 at 21:01
  • This problem seems to be very common... It's now much easier to just use `lxpolkit` which is an X11 application the `pkexec` can open. http://askubuntu.com/a/450559/159431 – iyrin Apr 19 '15 at 19:17
  • 1
    `pkexec` actually **can** run GUI without configuration: http://askubuntu.com/a/332847/89385 – akostadinov Jan 14 '16 at 08:48
  • Everything stated here is valid on Wayland? – Pablo Bianchi Mar 14 '22 at 19:18