On Sat, Jan 17, 2026 at 01:12:51PM +0000, Andrew Bower wrote: > Hi polkitd maintainers, > > On Fri, Jan 09, 2026 at 05:39:40PM +0000, Simon McVittie wrote: > > On Fri, 09 Jan 2026 at 18:06:17 +0100, Niklas Cathor wrote: > > > I was trying to install a package using gnome-software, which opened a > > > dialog > > > prompting for authentication. > > > > > > The dialog had a warning saying "Incorrect permissions on > > > /usr/lib/polkit-1/polkit-agent-helper-1 (needs to be setuid root)". > > > > In polkitd version 127 when running under systemd, it is correct for this > > helper to *not* be setuid root, so making it setuid root is not necessarily > > the right fix. > > > > I suspect that the problem here is: > > > > - you recently upgraded polkitd and related packages from an older version > > to v127 (please check /var/log/apt/ to find out) > > - you were already running gnome-software before the upgrade > > - therefore gnome-software had already loaded libpolkit-* from version > > 126 or older > > - and in those versions of polkitd, the helper *did* need to be setuid > > root, and the libraries had a check for this > > - so when those libraries check the permissions on the helper, the > > now-outdated check fails > > I see this issue consistently on my desktop, after reboots. Does this > suggest my xfce-polkit [Cc] needs changes to be compatible with this > change? > > What about "running under systemd" means this helper no longer needs to > be setuid root, so we can set about making the corresponding conditions > prevail when not running under systemd?
I see this is all about relying on socket activation and that there is already attempted remediation for when this is not assumed to be available: https://salsa.debian.org/utopia-team/polkit/-/commit/be1d882c785bf05b70d0e606710df94aa54766cc Unfortunately 'dpkg -l systemd-sysv' is inadequate to test whether the package installed as it returns a zero exit code for any package about which it knows, installed or not. I have proposed a patch to change this to 'dpkg -s systemd-sysv', which is a stronger test. Many thanks to Luca for already having merged this before I finished typing the e-mail!
