On Fri, 09 Jan 2026 at 18:06:17 +0100, Niklas Cathor wrote:
I was trying to install a package using gnome-software, which opened a dialog
prompting for authentication.
The dialog had a warning saying "Incorrect permissions on
/usr/lib/polkit-1/polkit-agent-helper-1 (needs to be setuid root)".
In polkitd version 127 when running under systemd, it is correct for
this helper to *not* be setuid root, so making it setuid root is not
necessarily the right fix.
I suspect that the problem here is:
- you recently upgraded polkitd and related packages from an older version
to v127 (please check /var/log/apt/ to find out)
- you were already running gnome-software before the upgrade
- therefore gnome-software had already loaded libpolkit-* from version
126 or older
- and in those versions of polkitd, the helper *did* need to be setuid
root, and the libraries had a check for this
- so when those libraries check the permissions on the helper, the
now-outdated check fails
There is probably a way to make this transition more graceful without
introducing additional security risk, but I don't know what it would be.
Perhaps new installations of version >= 127 should make the helper not
be setuid root, but upgrades from version < 127 to version >= 127 should
check whether it was setuid during the preinst, and if yes, create a
flag-file in /run telling the postinst to keep it setuid until after the
next reboot, at which point the old libraries have definitely been
unloaded and therefore the postinst can stop doing that for future
upgrades?
But that seems like significant complexity (therefore risk of bugs), and
the worst-case-scenario bug here is a root privilege escalation
vulnerability, so maybe not that.
smcv
