Why is pkexec preferred over gksudo for graphical applications?

command-line

Why it doesn't work?

By default pkexec does not allow you to run graphical (X11) applications. From the man page:

 The environment that PROGRAM will run it, will be set to a minimal
 known and safe environment in order to avoid injecting code through
 LD_LIBRARY_PATH or similar mechanisms. In addition the PKEXEC_UID
 environment variable is set to the user id of the process invoking
 pkexec.
     As a result, pkexec will not allow you to run X11 applications
     as another user since the $DISPLAY and $XAUTHORITY environment
     variables are not set.
 These two variables will be retained if the
 org.freedesktop.policykit.exec.allow_gui annotation on an action is set
 to a nonempty value; this is discouraged, though, and should only be
 used for legacy programs.

As stated in the man page, you can make it work albeit I really don't know if this is somehow dangerous or recommended.

To enable gedit for example you can create /usr/share/polkit-1/actions/com.ubuntu.gedit.policy with the following content:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
 "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">
<policyconfig>
  <vendor>gedit</vendor>
  <vendor_url>gedit</vendor_url>
  <icon_name>accessories-text-editor</icon_name>
  <action id="org.freedesktop.policykit.pkexec.gedit">
   <description>Run "gedit"</description>
   <message>Authentication is required to run Text Editor</message>
   <defaults>
     <allow_any>auth_admin</allow_any>
     <allow_inactive>auth_admin</allow_inactive>
     <allow_active>auth_admin</allow_active>
   </defaults>
     <annotate key="org.freedesktop.policykit.exec.path">/usr/bin/gedit</annotate>
     <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>
   </action>  
</policyconfig>

Then pkexec gedit should work as expected:

enter image description here

As you can guess, this will only make gedit work. In theory, if you added allow_gui to "org.freedesktop.policykit.exec" (the default action) this should work for all applications, but in my tests I got the same result as yours.

Why is pkexec prefered?

Here you can find a discussion about the strengths of pkexec.

Related

How do I start developing applications for Ubuntu on mobile devices?
How can I perform an offline upgrade using Ubiquity on the installation disc?
How to change system language?
How to make shortcuts on Ubuntu 17.10?
Switch to specific keyboard layout using Ctrl+Shift+Num
How can I remove / change the "Open With" list?
Login loop with fresh 19.10 install
Using a folder on an ntfs partition as /home
How to take a screenshot of a whole desktop with app menu selection?
What is the "Dirty COW" bug, and how can I secure my system against it?
Update table with SUM from another table
Simplex with smallest possible total edge length in set of points