pkexec won't launch polkit GUI in Lubuntu / LXDE
Solution 1
It turns out that I needed to install the policykit-1-gnome package. Once I installed this package and rebooted, Synaptic worked normally.
I installed the complete Lubuntu desktop in a VM for comparison with my minimal installation, and that's how I discovered what was missing. According to the package description:
PolicyKit-gnome provides a D-Bus session bus service that is used to bring up authentication dialogs used for obtaining privileges.
Obviously, without the described functionality, I was never going to get a GUI authentication prompt to open Synaptic.
synaptic is a dependency of the lubuntu-desktop metapackage, so it was installed by default in my minimal installation. Shouldn't policykit-1-gnome be a dependency of lubuntu-desktop as well, since Synaptic won't work without it? Do you think I should report a bug?
Solution 2
I am using an alternative solution to the accepted answer. I prefer using lxpolkit instead of policykit-1-gnome since it is designed for LXDE.
This problem with pkexec not launching the authentication screen is very common. The first thing to check is whether you have a graphical policy kit interface (either lxpolkit or policykit-1-gnome) installed and configured for LXDE because these packages are flagged to be removed during a major upgrade of lubuntu. Apparently neither are included when installing the distro.
Solution
Install
lxpolkit.
sudo apt-get install lxpolkitLogout and login.
Set
lxpolkitas default policy agent
In the menu, go toPreferences > Default applications for LXSession(or runlxsession-default-appsin a terminal). In the first section "Running applications" (Update: Default apps manager 14.10 is different. Use theCore applicationstab.), go to the option forPolkit agentand make sure lxpolkit is selected.
Instead of using the package policykit-1-gnome, lxsession will now use lxpolkit for LXDE.
Why Apps Launched With pkexec Don't Run From the LXDE Menu
It comes down to the way apps in the X11 system are launched with pkexec.
The apps that appear in the lxpanel menu are stored and configured in either /usr/share/applications (global menus items) or ~/.local/share/applications (user specific). See LXDE Wiki - Main Menu
In these directories you will find a .desktop file for each of the applications appearing in your menu. Here is an example of /usr/share/applications/synaptic.desktop:
[Desktop Entry]
Name=Synaptic Package Manager
GenericName=Package Manager
Comment=Install, remove and upgrade software packages
Exec=synaptic-pkexec
Icon=synaptic
Terminal=false
Type=Application
Categories=PackageManager;GTK;System;Settings;
NotShowIn=KDE;
X-Ubuntu-Gettext-Domain=synaptic
Notice the line Exec=synaptic-pkexec.
In the absence of a policy kit interface, the user is normally asked for a password in the command line. Since this is a menu item, this is launched in the background and there is no command line to enter the password. Hence, you need to make sure you are using lxpolkit. Or if you prefer the gnome polkit, install the package policykit-1-gnome which launches the login menu whenever pkexec is used. I have removed the package policykit-1-gnome and using lxpolkit works well for all applications.
Alternative Solutions
Use gksudo Instead of pkexec
You could right-click applications like synaptic in the menu, click Properties, and change the Command field from synaptic-pkexec to gksudo synaptic. Or via command line, copy the original file to your user's applications directory with sudo cp /usr/share/applications/synaptic.desktop ${HOME}/.local/share/applications/synaptic.desktop
Then edit the line Exec=synaptic-pkexec and replace it with Exec=gksudo synaptic
gksudo's "primary purpose is to run graphical commands that need root without the need to run an X terminal emulator and using su directly." - GKSU(1)
And for good reason! See Running Sudo Graphically.
This of course requires that every application relying on pkexec be edited to launch with gksudo which requires more work on your part if you're using lxpanel. A nice comparison of security and usability features for gksudo and PolicyKit can be found at Comparison of privilege authorization features.
Write Your Own pkexec Policy For Individual Applications
This is more than I want to do, but it may be useful in some situations. I don't recommend doing this without a strong understanding of writing PolicyKit Actions.
The actions available to you via polkit will depend on the packages you have installed. Some are used in multiple desktop environments (org.freedesktop.), some are DE-specific (org.gnome.) and some are specific to a single program (org.archlinux.pkexec.gparted.policy). The command pkaction lists all the actions defined in /usr/share/polkit-1/actions for quick reference.
Here's an example, which I have not tested, from City-busz -Using 'pkexec' command instead of 'gksu':
E.g. if you want to run gparted as root with
$ pkexec gpartedcommand, then create a new file
/usr/share/polkit-1/actions/org.freedesktop.policykit.pkexec.policywith the following content:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE policyconfig PUBLIC "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN" "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd"> <policyconfig> <action id="org.freedesktop.policykit.pkexec.run-gparted"> <description>Run GParted</description> <message>Authentication is required to run GParted</message> <defaults> <allow_any>no</allow_any> <allow_inactive>no</allow_inactive> <allow_active>auth_admin_keep</allow_active> </defaults> <annotate key="org.freedesktop.policykit.exec.path">/usr/sbin/gparted</annotate> <annotate key="org.freedesktop.policykit.exec.allow_gui">TRUE</annotate> </action> </policyconfig>More actions can be added into the same file.
Hat tip to renegat at archlinux.org for compiling relevant excerpts from related LXDE and PolicyKit documentation that ultimately led me to using LXPolkit as the preferred solution.
Related videos on Youtube
02 : 49
31 : 31
04 : 14
18 : 53
03 : 44
Abdul
Updated on September 18, 2022Comments
-
Abdul over 1 year
I performed a fresh install of Lubuntu 12.04 with minimal desktop, as described here.
To clarify, I did a command-line install from the Lubuntu alternative install disc, then I did an
apt-get install --no-install-recommends lubuntu-desktop.Everything is working fine, except that Synaptic will not run from the menu entry in the panel. I am not prompted for a password, and no window of any sort appears after clicking the menu entry. I installed lxshortcut to see what the shortcut was running, and the command is
synaptic-pkexec. If I type this command into the "Run" menu, I get the same behavior (or lack thereof).I can get Synaptic to open up just fine by typing
gksudo synapticat the "Run" menu. Also, if I run "synaptic-pkexec" from the terminal, then I am prompted for my password within the terminal, and after that Synaptic opens normally.Can someone please suggest the right way to get Synaptic working? I could just change the menu entry to "gksudo synaptic", but I'm guessing that it's set to
synaptic-pkexecfor a reason. I have a vague understanding that thispkexecbusiness has something to do with PolicyKit, but I don't really know what PolicyKit is or how to tell if something is broken with it.-
Corey Whitaker almost 12 yearsThis was a bug in Ubuntu 11.10, same exact scenario... it's discussed here - ubuntuforums.org/showthread.php?t=1827093 Maybe running an update would resolve it?
-
alireza almost 12 yearsCan you start synaptic from terminal ? If you can't , enter output in here. -
Abdul almost 12 yearsThanks for the link. According to that thread, the bug was fixed in synaptic-0.75.2ubuntu6. Running "apt-cache policy synaptic" says I have 0.75.9ubuntu1 installed. "apt-get update && apt-get dist-upgrade" says I'm fully up to date.
-
atenz almost 12 yearsTry re-installing Synaptic. -
Eliah Kagan almost 12 yearsDo other programs, run manually with
pkexec, also do authentication in the command-line rather than graphcially? For example, what happens when you runpkexec lsin the Terminal? Do you get non-graphical authentication for that, too? The default behavior ofpkexecis to authenticate graphically when possible (even if running a nongraphical command likels), so if that also gives you non-graphical authentication, it seems likely this is either a local configuration problem, or a bug, inpkexec/PolicyKit. -
Abdul almost 12 yearsThe trouble does seem to be with pkexec. "pkexec ls" from the Run menu (Alt+F2) does nothing. "pkexec ls" from the terminal authenticates within the terminal and then succeeds. I also tried another GUI program from the Run menu, "pkexec pcmanfm", and this does nothing. How would I go about configuring pkexec?
-
-
Eliah Kagan almost 12 yearsExcellent work tracking down the cause of the problem! And yes, I think you should report this as a bug. My Lubuntu systems installed from the Lubuntu desktop CD don't have this problem; they probably come with
policykit-1-gnomeinstalled separately from any other packages. It's set to manually installed (and I didn't install it myself). If you report a bug, please update your answer with the bug link. -
Nishant George Agrwal over 11 yearsI'm getting this exact same problem running a minimal install of ubuntu using standalone compiz session with Unity. Thing is, I have policykit-1-gnome installed, but its still not working.
-
iyrin about 9 yearsFor whatever reason, if you're running lubuntu/lxde and openbox, this package is marked for removal during an upgrade (you do have the option to keep packages during the upgrade). Installingpolicykit-1-gnomeand logging out/in provides the GUI thatpkexecwants to launch. Question edited to better reflect the problem, because this post is somewhat difficult to find and the problem is not due tosynapticin any way.
