Gfilui

For example, someone creates a fake Authenticate dialog to get my root password. How to know if it is real or fake?

So you're [probably] looking at a PolicyKit escalation prompt there. Anybody without one of those who wants to play along can just run run pkexec echo (or something like that) and they'll get something similar.

How can we check it's really PolicyKit, not some custom-made phishing window?

Well you can get information about a Window with xprop and you can get command information with ps so let's combine them! Before we steam on, because we're being super-paranoid here, I'm using full paths just in case somebody has added a local hacked copy of any of these commands. Here's me running it on my pkexec echo box:

$ /bin/ps $(/usr/bin/xprop _NET_WM_PID | /usr/bin/awk 'print $NF')
 PID TTY STAT TIME COMMAND
 3989 ? Sl 0:00 /usr/lib/kde4/libexec/polkit-kde-authentication-agent-1

So as far as we can tell (note that I'm a KDE user) this is a legitimate prompt. It's not running off some local script so as long as something evil hasn't already rooted the system (but hey, why would they need our password again?), we're probably safe.

How can we tell what it's going to do?

In the case of gksu, kdesu and pkexec the prompts are fairly explicit about what they're going to run. In the case of the first two the command above will tell you what they're planning on running:

$ /bin/ps $(/usr/bin/xprop _NET_WM_PID | /usr/bin/awk 'print $NF')
 PID TTY STAT TIME COMMAND
10395 ? Sl 0:00 /usr/lib/kde4/libexec/kdesu -u root -c /usr/sbin/synaptic

In the case of PolicyKit, you can click that details tab and you'll see which permission it wants to execute. In KDE you'll also see the caller PID which can be looked up (ps <PID>). Here's what it looks like in KDE:

You can hover over the action and get the PolicyKit policy it wants to execute. In Ubuntu the policy is shown by default. These policies can be looked up. The one above comes from /usr/share/polkit-1/actions/org.kubuntu.qaptworker2.policy and a service specified in /usr/share/dbus-1/system-services/org.kubuntu.qaptworker2.service. You can see what's being run and by whom. And these services can only be added by root so again, unless you've already been rooted, you can probably trust these.

But don't blindly trust PolicyKit!

PolicyKit has these rules and services so select actions can be performed as root without having to run the entire process like that. You need to be vigilant though. Obviously if you're running gnome-calculator and a org.freedesktop.policykit.exec prompt pops up, something's dodgy.

It might be nothing but investigate before you stick your password in. After is too late.

And even if it's all legit, who's to say you don't have a keylogger stealing all your passwords anyway? Or something overriding $PATH or that has dumped something horrible in your ~/.bashrc that's making it look like you haven't been hacked? I'm fairly sure with enough concentration you could circumvent all the detection procedures above.

Sleep well.