On 1/9/26 6:39 PM, Simon McVittie wrote:
In polkitd version 127 when running under systemd, it is correct for
this helper to *not* be setuid root, so making it setuid root is not
necessarily the right fix.
I suspect that the problem here is:
- you recently upgraded polkitd and related packages from an older
version
to v127 (please check /var/log/apt/ to find out)
- you were already running gnome-software before the upgrade
- therefore gnome-software had already loaded libpolkit-* from version
126 or older
- and in those versions of polkitd, the helper *did* need to be setuid
root, and the libraries had a check for this
- so when those libraries check the permissions on the helper, the
now-outdated check fails
Indeed, that sounds plausible. According to the apt logs, I updated
polkit ~2 weeks ago, and it's not unlikely that gnome-software was still
running since then.
I just removed the setuid bit from the polkit-agent-helper, restarted
the system, and now I'm no longer able to reproduce the issue.
There is probably a way to make this transition more graceful without
introducing additional security risk, but I don't know what it would
be. Perhaps new installations of version >= 127 should make the
helper not be setuid root, but upgrades from version < 127 to version
>= 127 should check whether it was setuid during the preinst, and if
yes, create a flag-file in /run telling the postinst to keep it setuid
until after the next reboot, at which point the old libraries have
definitely been unloaded and therefore the postinst can stop doing
that for future upgrades?
But that seems like significant complexity (therefore risk of bugs),
and the worst-case-scenario bug here is a root privilege escalation
vulnerability, so maybe not that.
Yeah, it sounds quite complex for an issue that's probably not very
common. I feel like gnome-shell could be handling the whole situation
more gracefully though. Or maybe the polkit library could detect that
there is a newer polkitd running, and produce some sort of error? (not
sure if that makes sense -- I don't know anything about the
compatibility guarantees between polkitd and polkit library versions).
Anyway, thanks for your feedback, feel free to close this bug :)
-niklas
