Skip to content

nixos/polkit: modernize, make pkexec wrapper opt-in#530106

Merged
LordGrimmauld merged 17 commits into
NixOS:staging-nixosfrom
mweinelt:polkit-cleanup
Jun 12, 2026
Merged

nixos/polkit: modernize, make pkexec wrapper opt-in#530106
LordGrimmauld merged 17 commits into
NixOS:staging-nixosfrom
mweinelt:polkit-cleanup

Conversation

@mweinelt

@mweinelt mweinelt commented Jun 9, 2026
edited
Loading

Copy link
Copy Markdown
Member

The motivation here is that enabling polkit is required for run0, but at that point you don't want pkexec unless you need to.

I grepped for every service that touches security.polkit and if it's package source mentioned pkexec it got the opt in commit.

Is this a follow-up to #156858? You tell me!

cc @K900 for Plasma, because I have no idea where to grep for pkexec.
thanks @theCapypara for providing some info for GNOME already.

Tests run:

  • nixosTests.gnome
  • nixosTests.libvirtd
  • nixosTests.rtkit
  • nixosTests.startx
  • nixosTests.udisks2

Things done

@nixpkgs-ci nixpkgs-ci Bot added 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 6.topic: GNOME GNOME desktop environment and its underlying platform 8.has: changelog This PR adds or changes release notes 8.has: module (update) This PR changes an existing module in `nixos/` 6.topic: xfce The Xfce Desktop Environment 6.topic: cinnamon Desktop environment 6.topic: COSMIC COSMIC is a software platform for designing beautiful user experiences 8.has: documentation This PR adds or changes documentation labels Jun 9, 2026
nixpkgs-branch-check[bot]

This comment was marked as outdated.

Sign in to view

@mweinelt mweinelt changed the base branch from master to staging-nixos June 9, 2026 23:53
@nixpkgs-ci nixpkgs-ci Bot closed this Jun 9, 2026
@nixpkgs-ci nixpkgs-ci Bot reopened this Jun 9, 2026
@nixpkgs-branch-check nixpkgs-branch-check Bot dismissed their stale review June 9, 2026 23:59

Review dismissed automatically

@nixpkgs-ci nixpkgs-ci Bot added the 10.rebuild-nixos-tests This PR causes rebuilds for all NixOS tests and should normally target the staging branches. label Jun 9, 2026
@mweinelt mweinelt force-pushed the polkit-cleanup branch 2 times, most recently from 3f10524 to d9aab67 Compare June 10, 2026 01:03
@K900

K900 commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

Actually sure looks like Plasma doesn't need it: https://github.com/search?q=org%3AKDE%20pkexec&type=code

(but the installer image still does, to launch Calamares)

thefossguy
thefossguy previously requested changes Jun 10, 2026
View reviewed changes

@thefossguy thefossguy left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For the COSMIC module:

-      enablePkexecWrapper = true;
+      # pkexec requires setting values of at least `XDG_RUNTIME_DIR` and `WAYLAND_DISPLAY`
+      # and these values are not sourced automatically on wayland-only sessions
+      # this can only be handled manually, AFAIK, like so:
+      # `env XDG_RUNTIME_DIR=$XDG_RUNTIME_DIR WAYLAND_DISPLAY=$WAYLAND_DISPLAY pkexec $args`
+      # xwayland is the default, and a wayland-only session is an opt-in
+      # therefore, if the user has opted out of xwayland, let the user explicitly handle this
+      enablePkexecWrapper = lib.mkDefault cfg.xwayland.enable;

mweinelt and others added 5 commits June 11, 2026 20:31
@mweinelt
nixos/tests/timekpr: hook up in all-tests, migrate to container
6ef165d
@mweinelt
nixos/security/run0: enable guard, polkit, refactor
45d4012 
The module now enables polkit, which run0 requires to faciliate
elevation. This warrants guarding the config by an opt-in enable toggle.

For the options that existed prior to the enable toggle we now assert
that users need to opt into the module for them to have an effect.
@mweinelt
nixos/gnome-remote-desktop: opt into pkexec
f252c48 
Calls pkexec in src/grd-ctl.c.
@mweinelt
nixos/installer/tools: enable run0 module
3da2687 
The run0 module now enables polkit and properly reflects the intent
behind the `enableRun0Elevation` option.
@mweinelt @r-vdp @LordGrimmauld
nixos/polkit: stop if changed
517a082 
We concluded this is fine, because we don't require elevation while
switching generations.

Co-Authored-By: r-vdp <ramses@well-founded.dev>
Co-Authored-By: Grimmauld <Grimmauld@grimmauld.de>
@LordGrimmauld

LordGrimmauld commented Jun 11, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

nixpkgs/nixos/tests/lomiri.nix

Lines 670 to 672 in a04cdfd

# Doing this here, since we need an in-session shell & separately starting a terminal again wastes time
with subtest("polkit agent works"):
machine.send_chars("pkexec touch /tmp/polkit-test\n")

So turns out lomiri expects pkexec, but it should work to just replace this by run0 (which also spawns a polkit agent window thingy)

Edit: oops, seems i was a second later than the push with that

LordGrimmauld
LordGrimmauld approved these changes Jun 11, 2026
View reviewed changes

@LordGrimmauld LordGrimmauld left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alright. Ran the tests, the breaks i ran into all have either been fixed or were caused at some earlier time outside this PR. I agree with the approach and the motivation.

I do expect this to break some peoples system. I think this is acceptable and necessary in this case. I am happy with this PR, though i am not quite sure how trigger-happy i should be with the merge button here. First time i knowingly am approving something i expect will break quite some setups.

We got a go-ahead from cosmic, gnome, plasma afaict. Not sure who else we would need/want to wait for.

@nixpkgs-ci nixpkgs-ci Bot added 12.approvals: 2 This PR was reviewed and approved by two persons. and removed 12.approvals: 1 This PR was reviewed and approved by one person. labels Jun 11, 2026
@LordGrimmauld

LordGrimmauld commented Jun 11, 2026
edited by mweinelt
Loading

Copy link
Copy Markdown
Contributor

Some more potential users:

@nixpkgs-ci nixpkgs-ci Bot requested a review from kira-bruneau June 11, 2026 23:19
@thefossguy

thefossguy commented Jun 12, 2026

Copy link
Copy Markdown
Member

I noticed that login in COSMIC was timing out. We have NixOS VM tests that handle session login (via the first-party greeter) and autologin. If in future a similar problem is encountered, I suggest you try to build all 4 nixosTests.cosmic* tests and see the logs yourself. Faster than booting into a scratch VM. :)

On that note, did you figure out why the login was timing out?

@thefossguy thefossguy self-requested a review June 12, 2026 03:00
@thefossguy thefossguy self-requested a review June 12, 2026 03:14
@thefossguy

thefossguy commented Jun 12, 2026

Copy link
Copy Markdown
Member

nixpkgs-review result

Generated using nixpkgs-review.

Command: nixpkgs-review pr 530106 --extra-nixpkgs-config '{ allowBroken = true; allowUnfree = true; }' --additional-package nixosTests.cosmic-autologin-noxwayland --additional-package nixosTests.cosmic-noxwayland --additional-package nixosTests.cosmic --additional-package nixosTests.cosmic-autologin
Commit: 9bbf4c97b98a20880013c11086c9937a0383b778

aarch64-linux

⏩ 2 packages blacklisted:
  • nixos-install-tools
  • tests.nixos-functions.nixos-test
✅ 4 tests built:
  • nixosTests.cosmic
  • nixosTests.cosmic-autologin
  • nixosTests.cosmic-autologin-noxwayland
  • nixosTests.cosmic-noxwayland

@thefossguy

thefossguy commented Jun 12, 2026

Copy link
Copy Markdown
Member

nixpkgs-review result

Generated using nixpkgs-review.

Command: nixpkgs-review pr 530106 --extra-nixpkgs-config '{ allowBroken = true; allowUnfree = true; }' --additional-package nixosTests.cosmic-autologin-noxwayland --additional-package nixosTests.cosmic-autologin --additional-package nixosTests.cosmic --additional-package nixosTests.cosmic-noxwayland
Commit: 9bbf4c97b98a20880013c11086c9937a0383b778

x86_64-linux

⏩ 2 packages blacklisted:
  • nixos-install-tools
  • tests.nixos-functions.nixos-test
✅ 4 tests built:
  • nixosTests.cosmic
  • nixosTests.cosmic-autologin
  • nixosTests.cosmic-autologin-noxwayland
  • nixosTests.cosmic-noxwayland

@nixpkgs-ci nixpkgs-ci Bot added 12.approvals: 3+ This PR was reviewed and approved by three or more persons. and removed 12.approvals: 2 This PR was reviewed and approved by two persons. labels Jun 12, 2026
@thefossguy thefossguy mentioned this pull request Jun 12, 2026
Closed
14 tasks
thefossguy
thefossguy approved these changes Jun 12, 2026
View reviewed changes

@thefossguy thefossguy left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry about the noise. I ran the NixOS VM tests on this PR and they pass. The above review results are of this PR.

I have an open PR to refactor the tests and add a new test for polkit using pkexec. Created a new PR (#530915) with your changes on top of my changes and they pass there as well.

LordGrimmauld
LordGrimmauld approved these changes Jun 12, 2026
View reviewed changes

@LordGrimmauld LordGrimmauld left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alright, lets do it. Some things probably will break, but considering this change is necessary and fixing the fallout is trivial, i see no good reason to delay this.

@LordGrimmauld LordGrimmauld added this pull request to the merge queue Jun 12, 2026
Merged via the queue into NixOS:staging-nixos with commit f12f59c Jun 12, 2026
30 checks passed
@mweinelt mweinelt deleted the polkit-cleanup branch June 12, 2026 23:58
@LordGrimmauld LordGrimmauld mentioned this pull request Jun 14, 2026
Merged
14 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@r-vdp r-vdp r-vdp left review comments
@jtojnar jtojnar jtojnar approved these changes
@LordGrimmauld LordGrimmauld LordGrimmauld approved these changes
@nixpkgs-branch-check nixpkgs-branch-check[bot] nixpkgs-branch-check[bot] left review comments
@Aleksanaa Aleksanaa Awaiting requested review from Aleksanaa
@bobby285271 bobby285271 Awaiting requested review from bobby285271
@ElvishJerricco ElvishJerricco Awaiting requested review from ElvishJerricco
@getchoo getchoo Awaiting requested review from getchoo
@muscaln muscaln Awaiting requested review from muscaln
@romildo romildo Awaiting requested review from romildo
@kira-bruneau kira-bruneau Awaiting requested review from kira-bruneau
+2 more reviewers
@arcayr arcayr arcayr left review comments
@thefossguy thefossguy thefossguy approved these changes
Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

6.topic: cinnamon Desktop environment 6.topic: COSMIC COSMIC is a software platform for designing beautiful user experiences 6.topic: GNOME GNOME desktop environment and its underlying platform 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 6.topic: xfce The Xfce Desktop Environment 8.has: changelog This PR adds or changes release notes 8.has: documentation This PR adds or changes documentation 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 12.approvals: 3+ This PR was reviewed and approved by three or more persons.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

10 participants

@mweinelt @K900 @ninelore @LordGrimmauld @r-vdp @nixos-discourse @SuperSandro2000 @arcayr @thefossguy @jtojnar