questions about pkexec

David Zeuthen david at
Mon Nov 30 08:53:46 PST 2009

On Sat, 2009-11-28 at 01:32 +0300, Vladislav Zavjalov wrote:
> Is there a reason why pkexec is a suid root helper now,
> not a client-mechanism pair (as proposed for such purposes
> in the polkit manpage)?

Simply because there is not benefit of splitting this into a
daemon/client - I mean, all that pkexec does is to exec a process after
checking for authorization - it's really not a lot of code.

> Do you plan to allow pkexec to work with X11 programs,

Kinda-sorta - to be honest I'm still on the fence on this.

On one side, modern distros shouldn't ship apps needing this - I even
think Fedora's default install (except for the installer maybe) doesn't
have any left.

On the other side there's a bunch of programs that need this and asking
people to log in as root (via e.g. fast-user-switching) isn't really a
satisfying answer.

So I don't really know.

FWIW, this topic is discussed in this bug

which references
that has a lot of discussion about this - specifically to make things
appear to work you need to also allow the uid0-app to communicate with
the session bus. Tough problem.

> obtaining trusted X11 environment from the ConsoleKit
> session?

I'm not sure exactly what this means.


More information about the polkit-devel mailing list