Using pkexec

[grahammechanical]

I have opened this thread because gksu is depreciated and as some of us are finding out gksu sometimes gets broken for some of us. I am now thinking that it is sensible to switch to using pkexec. It is not a replacement for gksu but it can be used to give root privileges to certain applications but we need to create a policy file for those applications.

Ubuntu comes with a set of policies and we find them in /usr/share/polkit-1/actions/. We can follow the pattern used in those policies to create policies ourselves. This is a policy for Gedit that someone in U+1 provided about a year ago. So, I am not claiming credit for this.

1) create this file

/usr/share/polkit-1/actions/com.ubuntu.gedit.policy

2) put in the file this code

Code:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
 "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">
<policyconfig>
  <vendor>gedit</vendor>
  <vendor_url>gedit</vendor_url>
  <icon_name>accessories-text-editor</icon_name>
  <action id="org.freedesktop.policykit.pkexec.gedit">
   <description>Run "gedit"</description>
   <message>Authentication is required to run Text Editor</message>
   <defaults>
     <allow_any>auth_admin</allow_any>
     <allow_inactive>auth_admin</allow_inactive>
     <allow_active>auth_admin</allow_active>
   </defaults>
     <annotate key="org.freedesktop.policykit.exec.path">/usr/bin/gedit</annotate>
     <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>
   </action>  
</policyconfig>

Now we can launch Gedit with root privileges using

Code:

pkexec gedit

By following that pattern I have come up with this for nautilus

File name /usr/share/polkit-1/actions/com.ubuntu.nautilus.policy

Code:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
 "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">
<policyconfig>
  <vendor>nautilus</vendor>
  <vendor_url>nautilus</vendor_url>
  <icon_name>system-file-manager</icon_name>
  <action id="org.freedesktop.policykit.pkexec.nautilus">
   <description>Run "nautilus"</description>
   <message>Authentication is required to run File Manager</message>
   <defaults>
     <allow_any>auth_admin</allow_any>
     <allow_inactive>auth_admin</allow_inactive>
     <allow_active>auth_admin</allow_active>
   </defaults>
     <annotate key="org.freedesktop.policykit.exec.path">/usr/bin/nautilus/annotate>
     <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>
   </action>  
</policyconfig>

Code:

pkexec nautilus

Make use of it if you will and add to the thread any policies that you come up with that would be useful to a Ubuntu development tester.

Regards

[Elfy]

should

<annotate key="org.freedesktop.policykit.exec.allow_gui">tru e</annotate>

be

<annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>

Just mentioning that.

Playing with one for mousepad - got an issue, will look later when I've more time

Code:

pkexec mousepad

(mousepad:4380): Mousepad-ERROR **: Cannot open display: 
Trace/breakpoint trap

Edit thunar gets the same Cannot open display error
Thanks for thinking about a thread for this

[zika]

You've made me play with pkexec (Trusty is the onla version I have at hand here where i am) and:

Code:

pkexec env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY gedit /etc/rc.local

works where else I get

Code:

~$ pkexec gedit /etc/rc.local
error: XDG_RUNTIME_DIR not set in the environment.
Unable to init server: Could not connect: Connection refused
(gedit:30178): Gtk-WARNING **: cannot open display:

...
Will investigate further, working line I derived from reading manual...
Update₁:
Alias:

Code:

alias pkx='pkexec env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY $i'

works nicely

Code:

pkx gedit /etc/rc.local

without significant changes (better to say witout any) to any system files...
This would be my contribution to: „Using pkexec“...
Update₂:

Code:

~$ pkx nautilus
(nautilus:1236): Gtk-WARNING **: Failed to register client: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.gnome.SessionManager was not provided by any .service files
Nautilus-Share-Message: Called "net usershare info" but it failed: 'net usershare' returned error 255: net usershare: cannot open usershare directory /var/lib/samba/usershares. Error No such file or directory
Please ask your system administrator to enable user sharing.

(No Samba installed on this machine with reason...)

Code:

~$ gksu nautilus

like knife through butter...

[mc4man]

@ grahammechanical -
As mentioned before it's better practice if posting something for others to copy to use a code box instead of quote so you maintain formatting
May not matter in this case, eventually will, - as ex. this is the policy I've included in nautilus's source for some time -

Code:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
 "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
<policyconfig>

  <action id="com.ubuntu.pkexec.nautilus">
    <message gettext-domain="nautilus">Authentication is required to run nautilus as root</message>
    <icon_name>system-file-manager</icon_name>
    <defaults>
      <allow_any>no</allow_any>
      <allow_inactive>no</allow_inactive>
      <allow_active>auth_admin</allow_active>
    </defaults>
    <annotate key="org.freedesktop.policykit.exec.path">/usr/bin/nautilus</annotate>
    <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>
  </action>

</policyconfig>

As far as a failure "open display:", that sometimes happens on 1st use. A reboot should resolve.
The "Nautilus-Share-Message" message is from having nautilus-share installed & sharing not set up. The package can be removed if not using.

The 'The name org.gnome.SessionManager was not provided by any .service files' message is somewhat common & of no importance.

[ventrical]

I have opened this thread because gksu is depreciated and as some of us are finding out gksu sometimes gets broken for some of us. I am now thinking that it is sensible to switch to using pkexec. It is not a replacement for gksu but it can be used to give root privileges to certain applications but we need to create a policy file for those applications.

Ubuntu comes with a set of policies and we find them in /usr/share/polkit-1/actions/. We can follow the pattern used in those policies to create policies ourselves. This is a policy for Gedit that someone in U+1 provided about a year ago. So, I am not claiming credit for this.

1) create this file

/usr/share/polkit-1/actions/com.ubuntu.gedit.policy

2) put in the file this code

Now we can launch Gedit with root privileges using

No there..

Code:

ventrical@ventrical-desktop:~$ pkexec gedit
error: XDG_RUNTIME_DIR not set in the environment.

(gedit:4518): Gtk-WARNING **: cannot open display: 
ventrical@ventrical-desktop:~$

but I'll edit..and try again.

[ventrical]

@ grahammechanical -
As mentioned before it's better practice if posting something for others to copy to use a code box instead of quote so you maintain formatting
May not matter in this case, eventually will, - as ex. this is the policy I've included in nautilus's source for some time -

Code:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
 "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
<policyconfig>

  <action id="com.ubuntu.pkexec.nautilus">
    <message gettext-domain="nautilus">Authentication is required to run nautilus as root</message>
    <icon_name>system-file-manager</icon_name>
    <defaults>
      <allow_any>no</allow_any>
      <allow_inactive>no</allow_inactive>
      <allow_active>auth_admin</allow_active>
    </defaults>
    <annotate key="org.freedesktop.policykit.exec.path">/usr/bin/nautilus</annotate>
    <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>
  </action>

</policyconfig>

As far as a failure "open display:", that sometimes happens on 1st use. A reboot should resolve.
The "Nautilus-Share-Message" message is from having nautilus-share installed & sharing not set up. The package can be removed if not using.

The 'The name org.gnome.SessionManager was not provided by any .service files' message is somewhat common & of no importance.

This works just as well as gksu.

@graham,

Thanks for researching this and making a thread of it.

Regards.

[zika]

Code:

ventrical@ventrical-desktop:~$ pkexec gedit
error: XDG_RUNTIME_DIR not set in the environment.

(gedit:4518): Gtk-WARNING **: cannot open display: 
ventrical@ventrical-desktop:~$

but I'll edit..and try again.

Did You try before any editing

Code:

pkexec env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY gedit

...?
(As I've suggested above...)

[Elfy]

Got thunar and mousepad now
Mousepad

Code:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
 "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
<policyconfig>

  <action id="com.ubuntu.pkexec.mousepad">
    <message gettext-domain="mousepad">Authentication is required to run mousepad as root</message>
    <icon_name>Text Editor</icon_name>
    <defaults>
      <allow_any>no</allow_any>
      <allow_inactive>no</allow_inactive>
      <allow_active>auth_admin</allow_active>
    </defaults>
    <annotate key="org.freedesktop.policykit.exec.path">/usr/bin/mousepad</annotate>
    <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>
  </action>

</policyconfig>

Thunar

Code:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
 "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
<policyconfig>

  <action id="com.ubuntu.pkexec.thunar">
    <message gettext-domain="thunar">Authentication is required to run thunar as root</message>
    <icon_name>system-file-manager</icon_name>
    <defaults>
      <allow_any>no</allow_any>
      <allow_inactive>no</allow_inactive>
      <allow_active>auth_admin</allow_active>
    </defaults>
    <annotate key="org.freedesktop.policykit.exec.path">/usr/bin/thunar</annotate>
    <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>
  </action>

</policyconfig>

[ventrical]

Did You try before any editing

Code:

pkexec env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY gedit

...?
(As I've suggested above...)

I didn't see that. That's perfect .. and no verbose msgs either after I closed open gedit. That's all I really need in most cases.

Code:

ventrical@ventrical-desktop:~$ pkexec env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY gedit
ventrical@ventrical-desktop:~$

[ventrical]

I made it executable and now all I have to do is enter ,

Code:

rootgedit

in terminal . (That is what I named the file). But you have to do this first..

Code:

ventrical@ventrical-desktop:~$ sudo chmod +x /usr/local/bin/rootgedit
##makes the text file rootgedit executable

[sudo] password for ventrical: 
ventrical@ventrical-desktop:~$ sudo updatedb
##updates the datatbase

ventrical@ventrical-desktop:~$ rootgedit
## executes  the terminal code 


ventrical@ventrical-desktop:~$

Simply , rootgedit executes,

Code:

pkexec env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY gedit