Frequently Asked Question

What is polkit and how does it differ from sudo?

Polkit (formerly PolicyKit) is the authorisation framework that desktop Linux uses for asking "may this unprivileged GUI action be performed?". When you plug in a USB stick and the file manager mounts it, when GNOME Settings adjusts the network, when you click "install updates" and a password dialog pops up, that dialog is a polkit agent, mediating between an unprivileged user process and a privileged system daemon over D-Bus. The decision is governed by rules in /etc/polkit-1/ and /usr/share/polkit-1/actions/, where each action (e.g. org.freedesktop.udisks2.filesystem-mount) has a default policy and can be overridden per-user or per-group.

The two systems are complementary, not redundant. sudo is for someone running a command in a terminal who wants to elevate to root for that command; it works at the shell level and is logged via syslog. Polkit is for GUI applications that need a privileged service to do one specific thing on their behalf, with the authorisation prompt rendered in the user's session. Polkit decisions are usually finer-grained than sudo rules: a user can be allowed to suspend the laptop but not reboot it, mount removable media but not network shares.