[Pkg-utopia-maintainers] Bug#1136196: pkexec: allow_gui annotation no longer preserves DISPLAY/XAUTHORITY

Fabio Fantoni fantonifabio at tiscali.it
Sun May 10 19:03:34 BST 2026 

Package: pkexec
Version: 127-3
Severity: important
X-Debbugs-Cc: fantonifabio at tiscali.it

The org.freedesktop.policykit.exec.allow_gui annotation does not
have the documented effect of preserving $DISPLAY and $XAUTHORITY
in the target process environment. GUI programs launched via
pkexec that rely on allow_gui (e.g. bleachbit-root) fail to start
with "cannot open display" / similar.

Reproducer (X11 session, Cinnamon):

1. /usr/share/polkit-1/actions/org.bleachbit.policy contains:
     <annotate key="org.freedesktop.policykit.exec.path">/usr/bin/bleachbit</annotate>
     <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>

2. pkaction --action-id org.bleachbit --verbose confirms both
   annotations are registered, including allow_gui = true.

3. pkexec /usr/bin/bleachbit fails with:
     RuntimeError: GTK is required but not available:
     No DISPLAY or WAYLAND_DISPLAY environment variable set

4. Workaround that confirms env stripping is the cause:
     pkexec env DISPLAY="$DISPLAY" XAUTHORITY="$XAUTHORITY" \
       /usr/bin/bleachbit
   starts normally.

Expected, per pkexec(1):
  "These two variables [DISPLAY, XAUTHORITY] will be retained if
  the org.freedesktop.policykit.exec.allow_gui annotation on an
  action is set to a nonempty value"

I have not bisected against earlier Debian pkexec versions, so I
cannot confirm whether this is a regression or a longer-standing
issue.


-- System Information:
Debian Release: forky/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 7.0.4+deb14-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages pkexec depends on:
ii  libc6                  2.42-16
ii  libglib2.0-0t64        2.88.1-2
ii  libpam0g               1.7.0-5+b2
ii  libpolkit-agent-1-0    127-3
ii  libpolkit-gobject-1-0  127-3
ii  polkitd                127-3

pkexec recommends no packages.

pkexec suggests no packages.

Versions of packages pkexec is related to:
pn  elogind         <none>
pn  libpam-elogind  <none>
ii  libpam-systemd  260.1-1
ii  systemd         260.1-1

-- no debconf information

More information about the Pkg-utopia-maintainers mailing list