polkit: 126 -> 127

[skissue]

Fixes: #472582

https://github.com/polkit-org/polkit/blob/main/NEWS.md#polkit-127

Still fairly new to nixpkgs, so let me know if I'm doing anything incorrectly! Not sure what the best way to test this is, still working on rebuilding my system with this change (compilation is brutal).

Things done

• Built on platform:
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• Tested, as applicable:
  • NixOS tests in nixos/tests.
  • Package tests at passthru.tests.
  • Tests in lib/tests or pkgs/test for functions and "core" functionality.
• Ran nixpkgs-review on this PR. See nixpkgs-review usage.
• Tested basic functionality of all binary files, usually in ./result/bin/.
• Nixpkgs Release Notes
  • Package update: when the change is major or breaking.
• NixOS Release Notes
  • Module addition: when adding a new NixOS module.
  • Module update: when the change is significant.
• Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other READMEs.

---

Add a 👍 reaction to pull requests you find important.

[jtojnar]

Thanks.

One way to test it without rebuilding everything would be setting security.polkit.package NixOS option to an overridden package while keeping rest of the system on the old version.

Looking at the upstream diff, at minimum, we can probably remove polkit-agent-helper-1 from nixos/modules/security/polkit.nix.

[skissue]

One way to test it without rebuilding everything would be setting security.polkit.package NixOS option to an overridden package while keeping rest of the system on the old version.

Looking at the upstream diff, at minimum, we can probably remove polkit-agent-helper-1 from nixos/modules/security/polkit.nix.

Thanks for the tip! I'm currently running my system with security.polkit.package set to polkit from this PR.

I trialed removing the SUID wrapper, but it broke pkexec. Looking at the upstream changelog, it says that "socket-activated polkit-agent-helper can now run without SETUID (Luca Boccassi)" (emphasis mine). Not sure how to set that up, but I will try looking into that later today.

[skissue]

Glancing over the changes and experimenting, it seems like the socket-activation part happens automatically via systemd. Things were broken for me because of polkit-kde-authentication-agent-1 running in the background. After killing it and removing the SUID wrapper, run0 was working, but pkexec was not. I suspect it may be an issue with not rebuilding every package.

Regardless, it seems that there are several packages that depend on the wrapper. I'm unsure what should be changed if the wrapper is dropped (apologies, I am not very familiar with polkit).

Output of rg polkit-agent-helper-1

pkgs/tools/networking/bitmask-vpn/default.nix
104:      --replace /usr/bin/lxpolkit /run/wrappers/bin/polkit-agent-helper-1 \

pkgs/by-name/co/cosmic-osd/package.nix
55:  env.POLKIT_AGENT_HELPER_1 = "/run/wrappers/bin/polkit-agent-helper-1";

pkgs/by-name/ne/networkmanager/package.nix
102:    "-Dpolkit_agent_helper_1=/run/wrappers/bin/polkit-agent-helper-1"

nixos/modules/security/polkit.nix
104:      polkit-agent-helper-1 = {
108:        source = "${cfg.package.out}/lib/polkit-1/polkit-agent-helper-1";

pkgs/by-name/so/soteria/package.nix
49:    export POLKIT_AGENT_HELPER_PATH="$(strings ${polkit.out}/lib/libpolkit-agent-1.so | grep "polkit-agent-helper-1")"

[skissue]

After some more experimentation, I can confidently say that run0 works well without the SUID wrapper with the default pkttyagent. I tried to rebuild polkit-kde-authentication-agent-1, but it depends on qtwebengine and unfortunately compiling a web engine is simply infeasible for me :(. pkexec still gives me the following error:

** (process:19011): WARNING **: 22:59:12.554: Unknown line 'polkit-agent-helper-1: error response to PolicyKit daemon: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: No session for cookie' from helper
==== AUTHENTICATION FAILED ====
Error executing command as another user: Not authorized

This incident has been reported.

I'm a bit out of my league with what is broken here. It would be great if someone with better hardware could do a proper build to test.

[skissue]

Update: I was able to compile hyprpolkitagent with an overridden polkit input. With it running instead of polkit-kde-authentication-agent-1, pkexec works 🎉.

Remaining issues:

1. How to handle packages that directly reference the old SUID wrapper?
2. polkit-agent-helper.socket is not autostarting (at least on my system). Not sure if this is an issue with not rebuilding everything, or a problem with the unit files.

[Sporif]

The socket can be autostarted with

systemd.sockets."polkit-agent-helper".wantedBy = [ "sockets.target" ];

polkit-kde-agent (and other third-party agents) need to be rebuilt with polkit 127 to get them to work with a suid-less polkit-agent-helper.

[skissue]

The socket can be autostarted with

systemd.sockets."polkit-agent-helper".wantedBy = [ "sockets.target" ];

Thanks! That works perfectly.

polkit-kde-agent (and other third-party agents) need to be rebuilt with polkit 127 to get them to work with a suid-less polkit-agent-helper.

Thanks, I assumed so after I was able to get hyprpolkitagent working with an updated polkit override.

I'm going to go ahead and update this PR to remove the SUID wrapper. Still unsure what to do about the packages with a hard dependency on the wrapper 😕.

[skissue]

For those wanting to test this PR without rebuilding the universe, I'm currently using the following configuration in my flake:

  security.polkit.package = inputs.nixpkgs-473068.legacyPackages.${pkgs.stdenv.hostPlatform.system}.polkit;
  security.wrappers.polkit-agent-helper-1.enable = lib.mkForce false;
  systemd.sockets."polkit-agent-helper".wantedBy = [ "sockets.target" ];

[skissue]

Changed the target branch from master to staging according to the contributor guidelines (due to the large number of rebuilds).

[Sporif]

I'm going to go ahead and update this PR to remove the SUID wrapper. Still unsure what to do about the packages with a hard dependency on the wrapper 😕.

I think the ideal solution would be to modify such packages to replace the wrapper with the agent's store path. Alternatively, we could keep the wrapper but remove its suid attribute like so:

security.wrappers.polkit-agent-helper-1.setuid = false;

Although I am not sure if this will work across all packages, or break something else.

[LordGrimmauld]

I had experimented with suid-less systems recently, and also picked the polkit patch enabling the socket activated agent helper. All that was needed was adding the socket to sockets.target, and that is being done here. This does look pretty good at a glance. I do plan on adding a suid-less nixos test testing run0, polkit and pam afteri get around to adding account-utils as an option. I'll do a more detailed review later today.

[LordGrimmauld]

I updated #453557, which has a suid-less pam/login test. I can try picking this PR onto the tree there to also check polkit+run0 with that, though i am currently building systemd 259 things first.

[LordGrimmauld]

https://git.grimmauld.de/Grimmauld/grimm-musl/commit/064dd8afcfc41c2083c0b8842b60e99bf6282fb5

#473403, #453557, #472008, #473068 on musl nixos and current staging, with a couple other fixes

Seems to work, polkit agent requests do work at least for run0. Socket is up, and it even works on musl.

[LordGrimmauld]

fwiw i did build a couple nixos tests which do polkit things (nixosTests.udisks2 nixosTests.rtkit nixosTests.startx nixosTests.libvirtd), none of those caused any issues

[mio-19]

polkit authentication dialog failed to authenticate on my system after this was merged into master

I have howdy on the system

  services.howdy.enable = true;
  services.howdy.control = "sufficient";
  services.linux-enable-ir-emitter.enable = config.services.howdy.enable;
  security.pam.services.sddm.howdy.enable = false; # we need password to unlock zfs home
  security.pam.services.login.howdy.enable = false; # we need password to unlock zfs home

workaround with nixpkgs-pin.url = "github:NixOS/nixpkgs/88d3861acdd3d2f0e361767018218e51810df8a1";

  security.wrappers.polkit-agent-helper-1 = lib.mkIf config.security.polkit.enable {
    setuid = true;
    owner = "root";
    group = "root";
    source = "${config.security.polkit.package.out}/lib/polkit-1/polkit-agent-helper-1";
  };
  systemd.sockets."polkit-agent-helper".wantedBy = lib.mkIf config.security.polkit.enable (
    lib.mkForce [ ]
  );
  security.polkit.package = pkgs-pin.polkit;

[anna328p]

Reposting from #259641:

#473068 (polkit: 126 -> 127) removed the polkit agent SUID helper. cosmic-osd's authentication agent depends on the helper and does not yet have support for the IPC service, which breaks all applications that depend on polkit (pop-os/cosmic-osd#169). The cosmic team apparently targets polkit 124, so the incompatibility is not a priority for them.

See also pop-os/cosmic-osd#170 for the same issue on Arch Linux. The Arch team's response was to add a patch to their polkit package that brings back the suid binary, though that feels like an unsatisfying solution.