gksudo & pkexec (PolicyKit)

gksudo 和 pkexec 是二種有圖形化介面取得 root 權限執行程式的方式。gksudo 是 sudo 的 GTK+ frontent，也因此它與 sudo 是用相同的權限管理設定。

pkexec 是基於 PolicyKit，比起 sudo(gksudo)，它提供更彈性權限管理與介面客製化的設定。在 Ubuntu 12.04 上可以在以下地方找到它的設定檔：

• Actions: /usr/share/polkit-1
• Local Authorities: /etc/polkit-1
• 3rd party Authorities: /var/lib/polkit-1

Actions 是設定行為，舉例來說 gparted 的執行權限如下：

$ cat /usr/share/polkit-1/actions/com.ubuntu.pkexec.gparted.policy
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
 "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
<policyconfig>

  <action id="com.ubuntu.pkexec.gparted">
    <message gettext-domain="gparted">Authentication is required to run the GParted Partition Editor</message>
    <icon_name>gparted</icon_name>
    <defaults>
      <allow_any>auth_admin</allow_any>
      <allow_inactive>auth_admin</allow_inactive>
      <allow_active>auth_admin</allow_active>
    </defaults>
    <annotate key="org.freedesktop.policykit.exec.path">/usr/sbin/gparted</annotate>
    <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>
  </action>

</policyconfig>

allow_* 則可根據不同的使用情境設定授權方式，像 auth_admin 就是要求授權對象(user)需有管理權限才能執行，換句話說就是要輸入密碼。詳細不同點可參考下方引用

allow_any, allow_inactive, and allow_active. Inactive sessions are generally remote sessions (SSH, VNC, etc.) whereas active sessions are logged directly into the machine on a TTY or an X display. Allow_any is the setting encompassing both scenarios.
For each of these settings the following options are available:

• no: The user is not authorized to carry out the action. There is therefore no need for authentification.
• yes: The user is authorized to carry out the action without any authentification.
• auth_self: Authentication is required but the user need not be an administrative user.
• auth_admin: Authentication as an administrative user is require.
• auth_self_keep: The same as auth_self but, like sudo, the authorization lasts a few minutes.
• auth_admin_keep: The same as auth_admin but, like sudo, the authorization lasts a few minutes.

 annotate key 的那 2 行則是設定程式路徑及是否允許 GUI。

什麼叫做管理權限呢？在 /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf 設定了若該位使用者為 sudo 或 admin group 便能算是有管理權限

$ cat /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf
[Configuration]
AdminIdentities=unix-group:sudo;unix-group:admin

當然你也可以根據不同 action 設定不同的管理權限及反應。像是在 /var/lib/polkit-1/localauthority/10-vendor.d/com.ubuntu.desktop.pkla 裡有一段

[Disable hibernate by default]
Identity=unix-user:*
Action=org.freedesktop.upower.hibernate
ResultActive=no

裡頭設定了所有使用者(unix-user:*)都不行(ResultActive)用 org.freedesktop.upower.hibernate。

參考資料

• PolicyKit on ArchLinux Wiki, https://wiki.archlinux.org/index.php/PolicyKit 
• When to use pkexec vs. gksu/gksudo?, http://askubuntu.com/questions/78352/when-to-use-pkexec-vs-gksu-gksudo