Ubuntu – When should I use pkexec and when sudo -i


I wrote an answer advising the use of sudo -i nautilus. I know that gksu is deprecated, and I was under the impression that sudo -i is how we should run graphical applications as root without killing kittens, but someone commented 'pkexec is the new gksu'. My understanding is that pkexec is not the same as using any form of sudo:

When to use pkexec vs gksu/gksudo?

and requires setting up, especially to use with graphical applications:

How to configure pkexec?

When I do sudo -i everything always works, so why should I go to the trouble of configuring pkexec? I can see that for writing a script that launches something as root I would need to do it:

Can I use pkexec in a Python Script or .desktop file?

But otherwise, what do I gain from using pkexec? When should I use these commands? What is currently the best practice for opening graphical applications as root?

(I already read the… man pages, but I am feeling no wiser.)

Best Answer

The basic use is the same - the programs in question allow you to run other programs as another user, usually root. The difference, however, between sudo variants and pkexec is that sudo gives a program total control over everything, while with pkexec you have a much more fine grained control by defining a policy for each program.

If you trust the programs that you run, sudo is perfectly fine. If you want to really lock down everything and permit programs to do only what you allow them to, then use pkexec that comes along with polkit.

While the idea behind pkexec is nice, I wouldn't go as far as calling it the next gksu, due to the complex set up needed.

Reference: the difference between sudo and pkexec on Quora.