[Pkg-utopia-maintainers] Bug#1125141: polkitd: polkit-agent-helper-1 missing setuid bit
Andrew Bower
andrew at bower.uk
Sat Jan 17 21:09:27 GMT 2026
On Sat, Jan 17, 2026 at 01:12:51PM +0000, Andrew Bower wrote:
> Hi polkitd maintainers,
>
> On Fri, Jan 09, 2026 at 05:39:40PM +0000, Simon McVittie wrote:
> > On Fri, 09 Jan 2026 at 18:06:17 +0100, Niklas Cathor wrote:
> > > I was trying to install a package using gnome-software, which opened a dialog
> > > prompting for authentication.
> > >
> > > The dialog had a warning saying "Incorrect permissions on
> > > /usr/lib/polkit-1/polkit-agent-helper-1 (needs to be setuid root)".
> >
> > In polkitd version 127 when running under systemd, it is correct for this
> > helper to *not* be setuid root, so making it setuid root is not necessarily
> > the right fix.
> >
> > I suspect that the problem here is:
> >
> > - you recently upgraded polkitd and related packages from an older version
> > to v127 (please check /var/log/apt/ to find out)
> > - you were already running gnome-software before the upgrade
> > - therefore gnome-software had already loaded libpolkit-* from version
> > 126 or older
> > - and in those versions of polkitd, the helper *did* need to be setuid
> > root, and the libraries had a check for this
> > - so when those libraries check the permissions on the helper, the
> > now-outdated check fails
>
> I see this issue consistently on my desktop, after reboots. Does this
> suggest my xfce-polkit [Cc] needs changes to be compatible with this
> change?
>
> What about "running under systemd" means this helper no longer needs to
> be setuid root, so we can set about making the corresponding conditions
> prevail when not running under systemd?
I see this is all about relying on socket activation and that there is
already attempted remediation for when this is not assumed to be
available:
https://salsa.debian.org/utopia-team/polkit/-/commit/be1d882c785bf05b70d0e606710df94aa54766cc
Unfortunately 'dpkg -l systemd-sysv' is inadequate to test whether the
package installed as it returns a zero exit code for any package about
which it knows, installed or not.
I have proposed a patch to change this to 'dpkg -s systemd-sysv', which
is a stronger test.
Many thanks to Luca for already having merged this before I finished
typing the e-mail!
More information about the Pkg-utopia-maintainers
mailing list