About root: su and sudo versus admin:// and pkexec

Back to the homepage


Contents of this page:

Below, I outline some important differences between various forms of root usage, namely su, sudo, pkexec and admin://. This is based on the excellent explanation that xenopeek has given on the Linux Mint forum (essentially, my explanation is just a simplification of that).

Bottom line (for the lazy reader): always use pkexec or admin:// for graphical applications that need root authority.

Always use pkexec or admin:// for graphical applications

1. You should always use pkexec or admin:// for running graphical programs as root. Use sudo and su only for command line programs.

Otherwise you may end up with graphical applications changing the ownership of (settings) files in your home directory to root, which can cause various problems. Those problems are caused by applications that expect to be able to use certain files or folders, but unexpectedly can't because those files or folders have become root-owned.

Launching a file manager with root authority (omnipotence)

1.1. File management with root authority is always risky, because you can break so much so easily. But sometimes it's inevitable.

In such cases it's extra important to run the file manager with a protective layer, in order to prevent messing up the file permissions in your system. Because the default file manager is so much engrained in the system as a whole, that this might easily cause problems.

For managing files as root, you therefore need to use the "root feature" in the panel menu of your file manager. Or failing that, you have to launch your file manager from the terminal with the protection of pkexec.

In order to launch your file manager with root permissions from the terminal, you can proceed as follows:

a. Launch a terminal window.
(You can launch a terminal window like this: *Click*)

b. Use copy/paste to transfer the appropriate blue command line into the terminal (this varies for each Mint edition):

For Cinnamon (Nemo), it's:
pkexec nemo
Press Enter.

For MATE (Caja) it's:
pkexec caja
Press Enter.

For Xfce (Thunar) it's:
pkexec thunar
Press Enter.

Finally, for Ubuntu (Nautilus) you need to do this first. Then you can do:
pkexec nautilus
Press Enter.

Note: closing the terminal might also affect the root instance of your file manager: the terminal is always in charge! So don't close the terminal window until you're done.

Launching a text editor with root authority

1.2. For editing system configuration files, you need to launch a text editor with root permissions. That can be done by means of admin://.

An example makes it easy: suppose you want to edit the configuration of your boot loader Grub, which resides in /etc/default/grub. In order to launch your text editor with the necessary root permissions from the terminal, you can proceed as follows:

a. Launch a terminal window.
(You can launch a terminal window like this: *Click*)

b. Use copy/paste to transfer the appropriate blue command line into the terminal (this varies for Linux Mint and Ubuntu):

For Linux Mint (all editions) it's:
xed admin:///etc/default/grub
Press Enter.

For Ubuntu (Gnome) it's:
gedit admin:///etc/default/grub
Press Enter.

Note (1): the three consecutive slashes are no typo, but intended.

Note (2): the first time that you use admin:// in a session, you'll be asked to enter your password twice. That's normal.

Note (3): closing the terminal might also affect the root instance of your text editor: the terminal is always in charge! So don't close the terminal window until you're done.

The full story

2. For sudo you need to be a member of the sudo group to be able to use them. For su, pkexec and admin:// you don't need to be a member of the sudo group to be able to use it.

For pkexec and admin:// you get a graphical window to type in your password. For sudo and su you type the password in the terminal (which in Ubuntu doesn't give you any visual feedback as you type it: not even dots or asterisks will show. In Mint you see asterisks nowadays).

Here's a summary of the important differences between these commands:

a. admin:// and pkexec set $HOME safely to the home directory of root, so the application you run doesn't change the ownership of (settings) files in your home directory to root.

They also set $XAUTHORITY to a new file, so the application you launch runs safely with its own X authorization. There's no risk for the file .Xauthority in your home directory.

b. sudo is something special. In Mint 20 and Ubuntu 20.04, sudo has been improved: now it behaves the same as sudo -H. It sets $HOME safely to the home directory of root.

But it doesn't set $XAUTHORITY to a new file, so the application you launch doesn't run with its own X authorization. It should therefore still not be used for graphical applications: there's a risk that a root-owned .Xauthority file in your home directory, will lead to a login loop.

c. sudo -H sets $HOME safely to the home directory of root.

But it doesn't set $XAUTHORITY to a new file, so the application you launch doesn't run with its own X authorization. It should therefore not be used for graphical applications.

d. sudo -i sets $HOME safely to the home directory of root, and also changes to that directory.

But it doesn't set $XAUTHORITY to a new file, so the application you launch doesn't run with its own X authorization. It should therefore not be used for graphical applications: there's a risk that a root-owned .Xauthority file in your home directory, will lead to a login loop.

Furthermore, it leaves the root terminal open after you close the graphical app. This increases the risk of inadvertent or accidental further use of that root terminal.

e. su - does the same thing as sudo -i. The only difference is: you authorize su - with root's password and sudo -i with your own password.

f. su sets $HOME safely to the home directory of root.

But it doesn't set $XAUTHORITY to a new file, so the application you launch doesn't run with its own X authorization. It should therefore not be used for graphical programs: there's a risk that a root-owned .Xauthority file in your home directory, will lead to a login loop.

All environment variables (with a few exceptions) are preserved when you close the su terminal window.

(with thanks to xenopeek from the Linux Mint forum)

Determine quickly who's in the sudo group

3. You can easily and quickly determine who's a member of the sudo group, by means of this terminal command:

getent group sudo

Press Enter.

Note: don't use either pkexec, admin:// or sudo for applications that weren't meant to be run as root in the first place! See this explanation (item 2).

Repair damage caused by graphical abuse of sudo

4. Did you ever use sudo or su for a graphical application? Then check for any root-owned files or folders (there should be none) in your home directory, in the following way:

a. Launch a terminal window.
(You can launch a terminal window like this: *Click*)

b. Copy/paste the following line into the terminal window:

sudo find ~/ -user root

Press Enter. Type your password when prompted. In Ubuntu this remains entirely invisible, not even dots will show when you type it, that's normal. In Mint this has changed: you'll see asterisks when you type. Press Enter again.

Did that command report nothing at all? Then you're OK. Did it report one or more files or folders? Then repair your system by making sure that all files and folders in your personal folder belong to you again, like this:

c. Copy/paste the following line into the terminal window:

sudo chown -Rc $USER:$USER $HOME

Press Enter.

d. Reboot your computer.

Want more tips?

5. Do you want more tips and tweaks? There's a lot more of them on this website!

For example:

Speed up your Linux Mint!

Clean your Linux Mint safely

Avoid 10 fatal mistakes


To the content of this website applies a Creative Commons license.

Back to the home page

Disclaimer