While testing run0 on a freshly installed Aurora OS, I encountered this error (which led me to systemd issue #33418):
➜ run0 sleep 5
Failed to start transient service unit: Access denied
Sure enough, checking with pkcheck confirmed it:
➜ pkcheck \
--action-id org.freedesktop.systemd1.manage-units \
--process $$ \
--allow-user-interaction
polkit\56retains_authorization_after_challenge=1
Not authorized.
Looking into journalctl -u polkit, I found this error:
Error evaluating admin rules: TypeError: cannot read property 'startsWith' of undefined
Grepping through rule files pointed me to:
➜ sudo grep -R "startsWith" /usr/share/polkit-1/rules.d
/usr/share/polkit-1/rules.d/22-ublue-rebase-systemd.rules: if (action.lookup("unit").startsWith("ublue-rebase@")) {
Here’s the relevant portion of /usr/share/polkit-1/rules.d/22-ublue-rebase-systemd.rules:
polkit.addRule(function(action, subject) {
if (subject.isInGroup("wheel")) {
if (action.id == "org.freedesktop.systemd1.manage-units") {
if (action.lookup("unit").startsWith("ublue-rebase@")) {
var verb = action.lookup("verb");
if (verb == "start" || verb == "stop" || verb == "restart") {
return polkit.Result.YES;
}
}
}
}
});
Because action.lookup("unit") can return null or undefined, this throws and breaks Polkit evaluation entirely, which then silently denies authorization without a prompt or fallback.
System Info
Workaround
To restore proper behavior, I added the following override to /etc/polkit-1/rules.d/10-allow-manage-units-wheel.rules:
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.systemd1.manage-units" &&
subject.isInGroup("wheel")) {
return polkit.Result.AUTH_ADMIN_KEEP;
}
});
After restarting polkit, both run0 and pkcheck now prompt for authentication properly.
Has anyone else run into this? Maybe something about my setup triggers this edge case, but if not, it might be worth guarding action.lookup("unit") in the upstream rule.