/usr/lib/policykit-1/polkit-agent-helper-1               -rwsr-xr-x root root
 - "When authenticating, polkitd-1 passes a cookie to the authentication agent.
   Then if the user enters the right password, the authentication agent calls
   AuthenticationAgentResponse() on the Authority with the cookie for the
   authentication request. If the caller of AuthenticationAgentResponse() is not
   uid 0, then it is ignored.  The way this works, is that the authentication
   setuid root helper, /usr/libexec/polkit-agent-helper-1, does the call. This
   program needs to be uid 0 for authentication _anyway_. And it _only_ decides to
   invoke this method if you actually successfully authenticated.  This of course
   relies on /usr/libexec/polkit-agent-helper-1 being a secure program [1]. But
   that's fairly easy to verify since this is 326 lines of code and only depends
   on PAM (which is supposed to be secure as well) up until we have decided that
   the user successfully authenticated." (jdstrand)
 - Reference: http://lists.freedesktop.org/archives/polkit-devel/2009-July/000153.html