Elevate bugs and caveats

There are many inherent platform-specific limitations and workarounds in the elevate elevated privileges API. This article explains and documents them for the curious, future maintainers, or those who run into problems.

On Apple macOS, an Applescript command is attempted for a graphical method before sudo. Sometimes, this command appears to execute incorrectly due to the group of the user owning the calling process. On macOS, sudo suffers the drawback mentioned below for applications which do not have a TTY connected.

Linux, *BSD and other Unix-likes
On Linux, gksudo, kdesudo, and pkexec are all attempted graphical methods before sudo.
pkexec is the preferred and most secure graphical authentication method on Linux. It is undesirable for Factor applications, because unless a certain rare global registry value is set, pkexec does not set the $DISPLAY environment variable for child processes, and thus cannot launch graphical applications despite being a graphical program itself. It is tried after gksudo and kdesudo but before sudo.
gksudo and kdesudo are deprecated, but still present on most GTK- and KDE-based systems, respectively. GTK is more widespread than KDE so gksudo is tried before kdesudo. These old-fashioned methods ensure that the launched application can be graphical, so they are preferred for Factor.
sudo is the final and most robust strategy tried on Linux. It is text-based, so it requires the calling process to have an active and accessible terminal (TTY) for user authentication. If the calling Factor application was started from the desktop graphical shell rather than from a TTY, this method will fail.

On other Unix-like or POSIX-like operating systems, sudo is the only consistently popular method of authentication, and it suffers the same drawback on other Unix-likes as on Linux.

On Windows, the FFI word windows.shell32:ShellExecuteW is used with the verb runas to force the new process to run with User Account Control. Windows provides no exec equivalent to replace a running process' image, so a new process will always be spawned, optionally killing the original Factor process.