diff --git a/src/session/Makefile-session.am b/src/session/Makefile-session.am
index 31c82cc0ac89..44fca44144a6 100644
--- a/src/session/Makefile-session.am
+++ b/src/session/Makefile-session.am
@@ -20,8 +20,3 @@ cockpit_session_SOURCES = \
 	src/session/session-utils.h \
 	src/session/session.c \
 	$(NULL)
-
-# set up cockpit-session to be setuid root, but only runnable by cockpit-session
-install-exec-hook::
-	chown -f root:cockpit-wsinstance $(DESTDIR)$(libexecdir)/cockpit-session || true
-	chmod -f 4750 $(DESTDIR)$(libexecdir)/cockpit-session || true
diff --git a/test/verify/check-connection b/test/verify/check-connection
index b89c256f2ff9..c38ec254e097 100755
--- a/test/verify/check-connection
+++ b/test/verify/check-connection
@@ -1007,8 +1007,7 @@ until pgrep -f '^(/usr/[^ ]+/[^ /]*python[^ /]* )?/usr/bin/cockpit-bridge'; do s
         m.spawn("socat TCP-LISTEN:9091,reuseaddr,fork TCP:localhost:9099", "socat.log")
 
         # ws with plain --no-tls should fail after login with mismatching Origin (expected http, got https)
-        m.spawn(f"runuser -u cockpit-wsinstance -- {self.ws_executable} --no-tls -p 9099",
-                "ws-notls.log")
+        m.spawn(f"{self.ws_executable} --no-tls -p 9099", "ws-notls.log")
         m.wait_for_cockpit_running(tls=True)
 
         b.open(f"https://{b.address}:{b.port}/system")
@@ -1040,8 +1039,7 @@ until pgrep -f '^(/usr/[^ ]+/[^ /]*python[^ /]* )?/usr/bin/cockpit-bridge'; do s
         self.allow_browser_errors("Error reading machine id")
 
         # ws with --for-tls-proxy accepts only https origins, thus should work
-        m.spawn(f"runuser -u cockpit-wsinstance -- {self.ws_executable} --for-tls-proxy -p 9099 -a 127.0.0.1",
-                "ws-fortlsproxy.log")
+        m.spawn(f"{self.ws_executable} --for-tls-proxy -p 9099 -a 127.0.0.1", "ws-fortlsproxy.log")
         m.wait_for_cockpit_running(tls=True)
         b.open(f"https://{b.address}:{b.port}/system")
         b.wait_visible("#login")
@@ -1395,8 +1393,7 @@ server {
 
         def run_ws(extra_opts=""):
             m.spawn(
-                f"runuser -u cockpit-wsinstance -- {self.libexecdir}/cockpit-ws "
-                f"--address=127.0.0.1 --for-tls-proxy {extra_opts}", "ws.log")
+                f"{self.libexecdir}/cockpit-ws --address=127.0.0.1 --for-tls-proxy {extra_opts}", "ws.log")
             m.wait_for_cockpit_running()
 
         def kill_ws():
diff --git a/tools/arch/PKGBUILD b/tools/arch/PKGBUILD
index 6722c7b53413..693465e01115 100644
--- a/tools/arch/PKGBUILD
+++ b/tools/arch/PKGBUILD
@@ -60,8 +60,6 @@ package_cockpit() {
   rm -rf "$pkgdir"/usr/{src,lib/firewalld}
   install -Dm644 "$srcdir"/cockpit.pam "$pkgdir"/etc/pam.d/cockpit
 
-  echo "z /usr/lib/cockpit/cockpit-session - - cockpit-wsinstance -" >> "$pkgdir"/usr/lib/tmpfiles.d/cockpit-ws.conf
-
   # remove unused plugins
   rm -rf "$pkgdir"/usr/share/cockpit/{selinux,playground,sosreport} \
          "$pkgdir"/usr/share/metainfo/org.cockpit_project.cockpit_{selinux,sosreport}.metainfo.xml
diff --git a/tools/cockpit.spec b/tools/cockpit.spec
index a47fe05ef70d..ca23a65f3b76 100644
--- a/tools/cockpit.spec
+++ b/tools/cockpit.spec
@@ -399,7 +399,7 @@ authentication via sssd/FreeIPA.
 %{_libexecdir}/cockpit-desktop
 %{_libexecdir}/cockpit-certificate-ensure
 %{_libexecdir}/cockpit-certificate-helper
-%attr(4750, root, cockpit-wsinstance) %{_libexecdir}/cockpit-session
+%{_libexecdir}/cockpit-session
 %{_datadir}/cockpit/branding
 %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
 %{_mandir}/man8/%{name}_session_selinux.8cockpit.*
diff --git a/tools/debian/cockpit-ws.postinst b/tools/debian/cockpit-ws.postinst
index f97f74d56360..9017d6829a2c 100644
--- a/tools/debian/cockpit-ws.postinst
+++ b/tools/debian/cockpit-ws.postinst
@@ -3,8 +3,11 @@ set -e
 
 #DEBHELPER#
 
-if ! dpkg-statoverride --list /usr/lib/cockpit/cockpit-session >/dev/null; then
-    dpkg-statoverride --update --add root cockpit-wsinstance 4750 /usr/lib/cockpit/cockpit-session
+# remove dpkg-statoverride on upgrade
+if dpkg-statoverride --list /usr/lib/cockpit/cockpit-session >/dev/null; then
+    dpkg-statoverride --remove /usr/lib/cockpit/cockpit-session
+    chmod 755 /usr/lib/cockpit/cockpit-session
+    chgrp root /usr/lib/cockpit/cockpit-session
 fi
 
 # restart cockpit.service on package upgrades, if it's already running
diff --git a/tools/debian/cockpit-ws.postrm b/tools/debian/cockpit-ws.postrm
index 7dec1d5d0168..8267b0d55ca1 100644
--- a/tools/debian/cockpit-ws.postrm
+++ b/tools/debian/cockpit-ws.postrm
@@ -8,6 +8,4 @@ if [ "$1" = purge ]; then
     [ -L /etc/motd.d/cockpit ] && rm /etc/motd.d/cockpit || true
     [ -L /etc/issue.d/cockpit.issue ] && rm /etc/issue.d/cockpit.issue || true
     rm -f /etc/cockpit/disallowed-users
-
-    dpkg-statoverride --remove /usr/lib/cockpit/cockpit-session
 fi