Thanks.

One way to test it without rebuilding everything would be setting security.polkit.package NixOS option to an overridden package while keeping rest of the system on the old version.

Looking at the upstream diff, at minimum, we can probably remove polkit-agent-helper-1 from nixos/modules/security/polkit.nix.

One way to test it without rebuilding everything would be setting security.polkit.package NixOS option to an overridden package while keeping rest of the system on the old version.

Looking at the upstream diff, at minimum, we can probably remove polkit-agent-helper-1 from nixos/modules/security/polkit.nix.

Thanks for the tip! I'm currently running my system with security.polkit.package set to polkit from this PR.

I trialed removing the SUID wrapper, but it broke pkexec. Looking at the upstream changelog, it says that "socket-activated polkit-agent-helper can now run without SETUID (Luca Boccassi)" (emphasis mine). Not sure how to set that up, but I will try looking into that later today.

Glancing over the changes and experimenting, it seems like the socket-activation part happens automatically via systemd. Things were broken for me because of polkit-kde-authentication-agent-1 running in the background. After killing it and removing the SUID wrapper, run0 was working, but pkexec was not. I suspect it may be an issue with not rebuilding every package.

Regardless, it seems that there are several packages that depend on the wrapper. I'm unsure what should be changed if the wrapper is dropped (apologies, I am not very familiar with polkit).

pkgs/tools/networking/bitmask-vpn/default.nix
104:      --replace /usr/bin/lxpolkit /run/wrappers/bin/polkit-agent-helper-1 \

pkgs/by-name/co/cosmic-osd/package.nix
55:  env.POLKIT_AGENT_HELPER_1 = "/run/wrappers/bin/polkit-agent-helper-1";

pkgs/by-name/ne/networkmanager/package.nix
102:    "-Dpolkit_agent_helper_1=/run/wrappers/bin/polkit-agent-helper-1"

nixos/modules/security/polkit.nix
104:      polkit-agent-helper-1 = {
108:        source = "${cfg.package.out}/lib/polkit-1/polkit-agent-helper-1";

pkgs/by-name/so/soteria/package.nix
49:    export POLKIT_AGENT_HELPER_PATH="$(strings ${polkit.out}/lib/libpolkit-agent-1.so | grep "polkit-agent-helper-1")"

After some more experimentation, I can confidently say that run0 works well without the SUID wrapper with the default pkttyagent. I tried to rebuild polkit-kde-authentication-agent-1, but it depends on qtwebengine and unfortunately compiling a web engine is simply infeasible for me :(. pkexec still gives me the following error:

** (process:19011): WARNING **: 22:59:12.554: Unknown line 'polkit-agent-helper-1: error response to PolicyKit daemon: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: No session for cookie' from helper
==== AUTHENTICATION FAILED ====
Error executing command as another user: Not authorized

This incident has been reported.

I'm a bit out of my league with what is broken here. It would be great if someone with better hardware could do a proper build to test.

Update: I was able to compile hyprpolkitagent with an overridden polkit input. With it running instead of polkit-kde-authentication-agent-1, pkexec works 🎉.

Remaining issues:

1. How to handle packages that directly reference the old SUID wrapper?
2. polkit-agent-helper.socket is not autostarting (at least on my system). Not sure if this is an issue with not rebuilding everything, or a problem with the unit files.

The socket can be autostarted with

systemd.sockets."polkit-agent-helper".wantedBy = [ "sockets.target" ];

polkit-kde-agent (and other third-party agents) need to be rebuilt with polkit 127 to get them to work with a suid-less polkit-agent-helper.

The socket can be autostarted with

systemd.sockets."polkit-agent-helper".wantedBy = [ "sockets.target" ];

Thanks! That works perfectly.

polkit-kde-agent (and other third-party agents) need to be rebuilt with polkit 127 to get them to work with a suid-less polkit-agent-helper.

Thanks, I assumed so after I was able to get hyprpolkitagent working with an updated polkit override.

I'm going to go ahead and update this PR to remove the SUID wrapper. Still unsure what to do about the packages with a hard dependency on the wrapper 😕.

For those wanting to test this PR without rebuilding the universe, I'm currently using the following configuration in my flake:

  security.polkit.package = inputs.nixpkgs-473068.legacyPackages.${pkgs.stdenv.hostPlatform.system}.polkit;
  security.wrappers.polkit-agent-helper-1.enable = lib.mkForce false;
  systemd.sockets."polkit-agent-helper".wantedBy = [ "sockets.target" ];

Changed the target branch from master to staging according to the contributor guidelines (due to the large number of rebuilds).

I'm going to go ahead and update this PR to remove the SUID wrapper. Still unsure what to do about the packages with a hard dependency on the wrapper 😕.

I think the ideal solution would be to modify such packages to replace the wrapper with the agent's store path. Alternatively, we could keep the wrapper but remove its suid attribute like so:

security.wrappers.polkit-agent-helper-1.setuid = false;

Although I am not sure if this will work across all packages, or break something else.

I updated #453557, which has a suid-less pam/login test. I can try picking this PR onto the tree there to also check polkit+run0 with that, though i am currently building systemd 259 things first.

fwiw i did build a couple nixos tests which do polkit things (nixosTests.udisks2 nixosTests.rtkit nixosTests.startx nixosTests.libvirtd), none of those caused any issues

polkit authentication dialog failed to authenticate on my system after this was merged into master

I have howdy on the system

  services.howdy.enable = true;
  services.howdy.control = "sufficient";
  services.linux-enable-ir-emitter.enable = config.services.howdy.enable;
  security.pam.services.sddm.howdy.enable = false; # we need password to unlock zfs home
  security.pam.services.login.howdy.enable = false; # we need password to unlock zfs home

workaround with nixpkgs-pin.url = "github:NixOS/nixpkgs/88d3861acdd3d2f0e361767018218e51810df8a1";

  security.wrappers.polkit-agent-helper-1 = lib.mkIf config.security.polkit.enable {
    setuid = true;
    owner = "root";
    group = "root";
    source = "${config.security.polkit.package.out}/lib/polkit-1/polkit-agent-helper-1";
  };
  systemd.sockets."polkit-agent-helper".wantedBy = lib.mkIf config.security.polkit.enable (
    lib.mkForce [ ]
  );
  security.polkit.package = pkgs-pin.polkit;

Reposting from #259641:

#473068 (polkit: 126 -> 127) removed the polkit agent SUID helper. cosmic-osd's authentication agent depends on the helper and does not yet have support for the IPC service, which breaks all applications that depend on polkit (pop-os/cosmic-osd#169). The cosmic team apparently targets polkit 124, so the incompatibility is not a priority for them.

See also pop-os/cosmic-osd#170 for the same issue on Arch Linux. The Arch team's response was to add a patch to their polkit package that brings back the suid binary, though that feels like an unsatisfying solution.