[GH-ISSUE #1471] `firejail --noprofile` allows gksu(do) but not pkexec

gitea-mirror commented

2026-05-05 07:16:14 -06:00

Owner

Originally created by @Fred-Barclay on GitHub (Aug 16, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1471

I noticed this when trying to build a profile for a program that uses polkit for authentication control.

Running pkexec normally in terminal (not in firejail), I get the standard gui dialog.

$ pkexec bash
<redacted> ~ # id
uid=0(root) gid=0(root) groups=0(root)
<redacted> ~ # exit
exit

Switching to firejail --noprofile, there is no dialog window, and the authentication attempt in the console fails:

$ pkexec bash
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
Authentication is needed to run `/bin/bash' as the super user
Authenticating as: Fred Barclay,,, (fred)
Password: 
polkit-agent-helper-1: error response to PolicyKit daemon: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: No session for cookie
==== AUTHENTICATION FAILED ===
Error executing command as another user: Not authorized

This incident has been reported.

However, gksu still provides its standard dialog and allows privilege escalation:

$ gksu bash
Gkr-Message: secret service operation failed: The name org.freedesktop.secrets was not provided by any .service files
bash: cannot set terminal process group (27): Inappropriate ioctl for device
bash: no job control in this shell
<redacted> fred #

(Strangely, bash seems to freeze at this point. But the privileges have definitely been elevated, as this output shows:)

$ gksu id
Gkr-Message: secret service operation failed: The name org.freedesktop.secrets was not provided by any .service files
uid=0(root) gid=0(root) groups=0(root)

This isn't ideal, IMHO. Some programs (like etcher) rely on pkexec, and we should probably support allowing privilege escalation with pkexec as well as gksu (though only super-loose sandboxes like firejail --noprofile, of course. 😄)

Cheers!

Originally created by @Fred-Barclay on GitHub (Aug 16, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1471 I noticed this when trying to build a profile for a program that uses polkit for authentication control. Running `pkexec` normally in terminal (not in firejail), I get the standard gui dialog. ``` $ pkexec bash <redacted> ~ # id uid=0(root) gid=0(root) groups=0(root) <redacted> ~ # exit exit ``` Switching to `firejail --noprofile`, there is no dialog window, and the authentication attempt in the console fails: ``` $ pkexec bash ==== AUTHENTICATING FOR org.freedesktop.policykit.exec === Authentication is needed to run `/bin/bash' as the super user Authenticating as: Fred Barclay,,, (fred) Password: polkit-agent-helper-1: error response to PolicyKit daemon: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: No session for cookie ==== AUTHENTICATION FAILED === Error executing command as another user: Not authorized This incident has been reported. ``` However, gksu still provides its standard dialog and allows privilege escalation: ``` $ gksu bash Gkr-Message: secret service operation failed: The name org.freedesktop.secrets was not provided by any .service files bash: cannot set terminal process group (27): Inappropriate ioctl for device bash: no job control in this shell <redacted> fred # ``` _(Strangely, bash seems to freeze at this point. But the privileges have definitely been elevated, as this output shows:)_ ``` $ gksu id Gkr-Message: secret service operation failed: The name org.freedesktop.secrets was not provided by any .service files uid=0(root) gid=0(root) groups=0(root) ``` This isn't ideal, IMHO. Some programs (like [etcher](https://etcher.io/)) rely on pkexec, and we should probably support allowing privilege escalation with pkexec as well as gksu (though only super-loose sandboxes like `firejail --noprofile`, of course. 😄) Cheers!

gitea-mirror added the

enhancement

label 2026-05-05 07:16:14 -06:00

gitea-mirror commented

2026-05-05 07:16:17 -06:00

Author

Owner

@icasdri commented on GitHub (Aug 16, 2017):

It sounds like gksu doesn't depend on DBus whereas pkexec does. firejail --noprofile likely blocks access to the system DBus socket. A new network namespace might also do it.

@icasdri commented on GitHub (Aug 16, 2017): It sounds like `gksu` doesn't depend on DBus whereas `pkexec` does. `firejail --noprofile` likely blocks access to the system DBus socket. A new network namespace might also do it.

gitea-mirror commented

2026-05-05 07:16:19 -06:00

Author

Owner

@Fred-Barclay commented on GitHub (Aug 16, 2017):

It sounds like gksu doesn't depend on DBus whereas pkexec does.

Interestingly, I get a different error when allowing dbus access:

$ firejail --protocol=unix --noprofile
Parent pid 4095, child pid 4096
Child process initialized in 12.97 ms
$ pkexec /bin/bash
pkexec must be setuid root

So it looks like it does need at least some access to dbus.

@Fred-Barclay commented on GitHub (Aug 16, 2017): >It sounds like gksu doesn't depend on DBus whereas pkexec does. Interestingly, I get a different error when allowing dbus access: ``` $ firejail --protocol=unix --noprofile Parent pid 4095, child pid 4096 Child process initialized in 12.97 ms $ pkexec /bin/bash pkexec must be setuid root ``` So it looks like it does need at least some access to dbus.

gitea-mirror commented

2026-05-05 07:16:21 -06:00

Author

Owner

@Ferroin commented on GitHub (Aug 16, 2017):

Yes, pkexec needs DBus access. It uses PolicyKit, which is a DBus-only service that someone thought was somehow a better idea than sudo when dealing with command execution (it's great for rights delegation when dealing with DBus services, because there really isn't any other option, but it's overkill for regular command execution). On the other hand, gksu is just a graphical frontend for sudo, so it just needs access to X11 to work.

@Ferroin commented on GitHub (Aug 16, 2017): Yes, pkexec needs DBus access. It uses PolicyKit, which is a DBus-only service that someone thought was somehow a better idea than sudo when dealing with command execution (it's great for rights delegation when dealing with DBus services, because there really isn't any other option, but it's overkill for regular command execution). On the other hand, gksu is just a graphical frontend for sudo, so it just needs access to X11 to work.

gitea-mirror commented

2026-05-05 07:16:22 -06:00

Author

Owner

@netblue30 commented on GitHub (Aug 18, 2017):

In my case (Debian stretch), running "pkexec ls /root" in a "firejail --noprofile" crashes. I get this in syslog:

Aug 18 08:59:39 debian kernel: [69861.953292] pkexec[1600]: segfault at 18 ip 00007fc867f01097 sp 00007fc8635ef180 error 4 in libpolkit-agent-1.so.0.0.0[7fc867efb000+9000]

@netblue30 commented on GitHub (Aug 18, 2017): In my case (Debian stretch), running "pkexec ls /root" in a "firejail --noprofile" crashes. I get this in syslog: ````` Aug 18 08:59:39 debian kernel: [69861.953292] pkexec[1600]: segfault at 18 ip 00007fc867f01097 sp 00007fc8635ef180 error 4 in libpolkit-agent-1.so.0.0.0[7fc867efb000+9000] `````

gitea-mirror commented

2026-05-05 07:16:23 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Jul 15, 2018):

lol PolicyKit is a mess and is half-broken on my end even without using firejail (although maybe it's because of hidepid in my case...). It uses a security-hole-ridden mess called DBus and is somehow supposed to be better than sudo. Ugh.

@chiraag-nataraj commented on GitHub (Jul 15, 2018): lol PolicyKit is a mess and is half-broken on my end even without using `firejail` (although maybe it's because of `hidepid` in my case...). It uses a security-hole-ridden mess called DBus and is somehow supposed to be better than sudo. Ugh.

gitea-mirror commented

2026-05-05 07:16:24 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Aug 20, 2018):

When I run it, I get the following:

$ firejail --noprofile
$ pkexec ls /root
Error checking for authorization org.freedesktop.policykit.exec: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: process with PID 2 has been replaced

By the way, gksu and gksudo have been removed entirely (at least from Debian and Ubuntu, and probably other Debian derivatives as well), and apparently the recommended way is to use pkexec now, which currently doesn't work within firejail. I suspect it's due to the PID namespace...

@chiraag-nataraj commented on GitHub (Aug 20, 2018): When I run it, I get the following: ``` $ firejail --noprofile $ pkexec ls /root Error checking for authorization org.freedesktop.policykit.exec: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: process with PID 2 has been replaced ``` By the way, `gksu` and `gksudo` have been removed entirely (at least from Debian and Ubuntu, and probably other Debian derivatives as well), and apparently the recommended way is to use `pkexec` now, which currently doesn't work within `firejail`. I suspect it's due to the PID namespace...

gitea-mirror commented

2026-05-05 07:16:25 -06:00

Author

Owner

@mulecat commented on GitHub (Dec 26, 2018):

Any update on this? pkexec not working with firejail there's no way to run applications that require it, such as GameHub.

@mulecat commented on GitHub (Dec 26, 2018): Any update on this? `pkexec` not working with `firejail` there's no way to run applications that require it, such as GameHub.

gitea-mirror commented

2026-05-05 07:16:27 -06:00

Author

Owner

@rusty-snake commented on GitHub (Dec 26, 2018):

By the way, gksu and gksudo have been removed entirely (at least from Debian and Ubuntu, and probably other Debian derivatives as well)

Also on Fedora systems with F29+RPMFusion there is no gksu, gksudo, kdesudo.

@rusty-snake commented on GitHub (Dec 26, 2018): > By the way, gksu and gksudo have been removed entirely (at least from Debian and Ubuntu, and probably other Debian derivatives as well) Also on Fedora systems with F29+RPMFusion there is no `gksu`, `gksudo`, `kdesudo`.

gitea-mirror commented

2026-05-05 07:16:30 -06:00

Author

Owner

@rradar commented on GitHub (May 8, 2019):

just saw that etcher is stated in this issue by @Fred-Barclay

I'm trying to stop etcher from doing calls to networks/internet but I'm not able to get it running properly with firejail (the gui doesn't load properly). Here is my etcher issue witch a screenshot: https://github.com/balena-io/etcher/issues/2772

@rradar commented on GitHub (May 8, 2019): just saw that etcher is stated in this issue by @Fred-Barclay I'm trying to stop etcher from doing calls to networks/internet but I'm not able to get it running properly with firejail (the gui doesn't load properly). Here is my etcher issue witch a screenshot: https://github.com/balena-io/etcher/issues/2772

gitea-mirror commented

2026-05-05 07:16:30 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (May 20, 2019):

Based on @rradar's comment, I presume this still an issue with pkexec and we should figure out what to do about it.

@chiraag-nataraj commented on GitHub (May 20, 2019): Based on @rradar's comment, I presume this still an issue with `pkexec` and we should figure out what to do about it.

gitea-mirror commented

2026-05-05 07:16:31 -06:00

Author

Owner

@rusty-snake commented on GitHub (Nov 25, 2019):

8204822861

@rusty-snake commented on GitHub (Nov 25, 2019): 8204822861fe997328c94b74a16436d64bfd6eed

gitea-mirror commented

2026-05-05 07:16:32 -06:00

Author

Owner

@rusty-snake commented on GitHub (Apr 1, 2020):

$ firejail --noprofile /usr/bin/pkexec
pkexec must be setuid root
# removing force-nonewprivs yes
$ firejail --noprofile /usr/bin/pkexec
Refusing to render service to dead parents.

@rusty-snake commented on GitHub (Apr 1, 2020): ``` $ firejail --noprofile /usr/bin/pkexec pkexec must be setuid root # removing force-nonewprivs yes $ firejail --noprofile /usr/bin/pkexec Refusing to render service to dead parents. ```

gitea-mirror commented

2026-05-05 07:16:33 -06:00

Author

Owner

@odkr commented on GitHub (Jul 21, 2021):

Is this still unresolved or is it just me?

% firejail --noprofile /usr/bin/pkexec
Parent pid 463947, child pid 463948
Child process initialized in 9.08 ms
Refusing to render service to dead parents.

Parent is shutting down, bye...

firejail --version
firejail version 0.9.58.2

Compile time support:
	- AppArmor support is enabled
	- AppImage support is enabled
	- chroot support is enabled
	- file and directory whitelisting support is enabled
	- file transfer support is enabled
	- networking support is enabled
	- overlayfs support is disabled
	- private-home support is enabled
	- seccomp-bpf support is enabled
	- user namespace support is enabled
	- X11 sandboxing support is enabled

I’m not a fan of polkit either, but it seems that it is here to stay and it would be useful if it could be called from within a firejail.

@odkr commented on GitHub (Jul 21, 2021): Is this still unresolved or is it just me? ``` % firejail --noprofile /usr/bin/pkexec Parent pid 463947, child pid 463948 Child process initialized in 9.08 ms Refusing to render service to dead parents. Parent is shutting down, bye... ``` ``` firejail --version firejail version 0.9.58.2 Compile time support: - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - networking support is enabled - overlayfs support is disabled - private-home support is enabled - seccomp-bpf support is enabled - user namespace support is enabled - X11 sandboxing support is enabled ``` I’m not a fan of polkit either, but it seems that it is here to stay and it would be useful if it could be called from within a firejail.

Rows
Columns

[GH-ISSUE #1471] firejail --noprofile allows gksu(do) but not pkexec #989

[GH-ISSUE #1471] `firejail --noprofile` allows gksu(do) but not pkexec #989