timeshift-GTK no start wrong policy

I have the problem that timeshift don’t start (stable, Plasma X11).
From the terminal it works with sudo (not the right way) or with this:

I found this solution here (I don’t know how it works, but it works):

There is a permanent script solution, too. I don’t tested yet.
I had these problems since a few weeks (so maybe 2 or 3 updates on stable)
On a longtime, but actual unstable VM with a fresh install of timeshfit, too. (Plamsa X11 and wayland)
On a testing VM not.
So I am not clever enough to understand the the problem in deep. It seem not many user have this problem, but I two times. It is not a big problem, the workaround is very simple. But I want to ask for a advice for a longtime solution. Is there a “*.conf” there I can add this “DISPLAY XAUTHORITY” thing or should I wait for updates and it will disapear ?

I am guessing that you did not merge your .pacnew files, and specifically, any .pacnew files pertaining to /etc/pam.d/*.


Hm, maybe is the problem: I did this a few weeks ago the first time…
[Maybe with all the errors are possible (I think this process is for “not experts” very hard)]
I had this idea on my own, too. But I compared the most files in etc/pam.d with the files in my “working” VM and found no differences. And I have the .pacnew files not anymore …
(no other root-needed application has these problem, its only timeshift. For example Gparted is working [GTK+root])
And KsystemLog says:

|20.08.23 19:21|polkitd|Operator of unix-session:2 successfully authenticated as unix-user:zero to gain ONE-SHOT authorization for action org.freedesktop.policykit.exec for unix-process:47816:3770732 [bash /bin/timeshift-launcher] (owned by unix-user:zero)|
|20.08.23 19:21|polkit-kde-authentication-agent-1|Finish obtain authorization: true|
|20.08.23 19:21|pkexec|pam_unix(polkit-1:session): session opened for user root(uid=0) by zero(uid=1000)|
|20.08.23 19:21|pkexec|zero: Executing command [USER=root] [TTY=unknown] [CWD=/home/zero] [COMMAND=/bin/timeshift-gtk]|
|20.08.23 19:21|user@1000.service|cannot open display: |

So for my little understanding polkit and root are OK, but systemd error “cannot open display”.
But Display seems OK for me:

[zero@world ~]$ echo $DISPLAY

I have new details: polkit use the “wrong” policy.
On system timeshift-gtk starts, shows the details-button on the password-login
For systems with no start it shows:
I compared this files and I found this missing in freedesktop:

<annotate key="org.freedesktop.policykit.exec.path">/usr/bin/timeshift-gtk</annotate>
<annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>

the “in.teejeetech.pkexec.timeshift-gtk” is already there on not working systems.
Copy the working file to not working system nothing change.
So now is my question:
How or where is the decision done: Which policy ?
Not in the timeshift-launcher.

The timeshift package in Manjaro repo provides the policy


If you have systems which do not have this :man_shrugging:

I have this file. And the content looks like a on a working system.
And a copy from the s file from a working system to a problem system nothing changes…
There are many policy files in “actions”.
So how works the assignment?
I thought the launcher would do that (because there is the pkexec thing.
But I found nothing there ,

And the “timeshift-launcher” files on working/problem systems are equal…

You are not supposed to run directdly timeshift-gtk but through timeshift-launcher which sets up the environment.

 $ cat /usr/bin/timeshift-launcher
#!/usr/bin/env bash


if [ "$(id -u)" -eq 0 ]; then
        # user is admin
        # user is not admin
        if echo $- | grep "i" >/dev/null 2>&1; then
                # script is running in interactive mode
                su - -c "${app_command}"
                # script is running in non-interactive mode
                if [ "$XDG_SESSION_TYPE" = "wayland" ] ; then
                        xhost +SI:localuser:root
                        pkexec ${app_command}
                        xhost -SI:localuser:root
                elif command -v pkexec >/dev/null 2>&1; then
                        pkexec ${app_command}
                elif command -v sudo >/dev/null 2>&1; then
                        x-terminal-emulator -e "sudo ${app_command}"
                elif command -v su >/dev/null 2>&1; then
                        x-terminal-emulator -e "su - -c '${app_command}'"
                        x-terminal-emulator -e "echo 'Command must be run as root user: ${app_command}'"

Yes. I watched this file few times now…
But where is the hint for which policy?
And I think the call of “pkexec” here is doing the “thing” with the policy!

I guess the solution is in the folder
But then I am out…