[Pkg-utopia-maintainers] Bug#1125141: polkitd: polkit-agent-helper-1 missing setuid bit

Niklas Cathor niklas.cathor at gmx.de
Fri Jan 9 18:15:06 GMT 2026 

On 1/9/26 6:39 PM, Simon McVittie wrote:
> In polkitd version 127 when running under systemd, it is correct for 
> this helper to *not* be setuid root, so making it setuid root is not 
> necessarily the right fix.
>
> I suspect that the problem here is:
>
> - you recently upgraded polkitd and related packages from an older 
> version
>   to v127 (please check /var/log/apt/ to find out)
> - you were already running gnome-software before the upgrade
> - therefore gnome-software had already loaded libpolkit-* from version
>   126 or older
> - and in those versions of polkitd, the helper *did* need to be setuid
>   root, and the libraries had a check for this
> - so when those libraries check the permissions on the helper, the
>   now-outdated check fails

Indeed, that sounds plausible. According to the apt logs, I updated 
polkit ~2 weeks ago, and it's not unlikely that gnome-software was still 
running since then.

  I just removed the setuid bit from the polkit-agent-helper, restarted 
the system, and now I'm no longer able to reproduce the issue.

> There is probably a way to make this transition more graceful without 
> introducing additional security risk, but I don't know what it would 
> be.  Perhaps new installations of version >= 127 should make the 
> helper not be setuid root, but upgrades from version < 127 to version 
> >= 127 should check whether it was setuid during the preinst, and if 
> yes, create a flag-file in /run telling the postinst to keep it setuid 
> until after the next reboot, at which point the old libraries have 
> definitely been unloaded and therefore the postinst can stop doing 
> that for future upgrades?
>
> But that seems like significant complexity (therefore risk of bugs), 
> and the worst-case-scenario bug here is a root privilege escalation 
> vulnerability, so maybe not that.
>
Yeah, it sounds quite complex for an issue that's probably not very 
common. I feel like gnome-shell could be handling the whole situation 
more gracefully though. Or maybe the polkit library could detect that 
there is a newer polkitd running, and produce some sort of error? (not 
sure if that makes sense -- I don't know anything about the 
compatibility guarantees between polkitd and polkit library versions).

Anyway, thanks for your feedback, feel free to close this bug :)

-niklas

More information about the Pkg-utopia-maintainers mailing list