Re: CVE-2021-4034: why is pkexec still a thing?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, Jan 26, 2022 at 8:15 PM Adam Williamson
<adamwill@xxxxxxxxxxxxxxxxx> wrote:
>
> On Thu, 2022-01-27 at 00:57 +0000, Sérgio Basto wrote:
> > On Thu, 2022-01-27 at 07:48 +0800, Ed Greshko wrote:
> > > On 27/01/2022 07:18, Patrick O'Callaghan wrote:
> > > > On Wed, 2022-01-26 at 14:21 -0800, Adam Williamson wrote:
> > > > > But that was then, and this is now. Does anything in Workstation
> > > > > use
> > > > > pkexec? Does anything in KDE use it?
> > > > $ sudo dnf erase polkit
> > > > Error:
> > > >   Problem: The operation would result in removing the following
> > > > protected packages: plasma-desktop
> > > > (try to add '--skip-broken' to skip uninstallable packages)
> > > >
> > > > I've no idea why plasma-desktop needs pkexec.
> > >
> > > FWIW, I moved pkexe out of /usr/bin and rebooted my VM.  I found no
> > > problems with the minimal testing I've done
> > > So, I doesn't seem plasma-desktop uses pkexec in the normal course of
> > > events.
> >
> > I think you just need pkexec for admin things. like add a printer ...
>
>
> AIUI, modern admin things should not need it, because they should use
> better polkit mechanisms to gain privileges only as and when they need
> them. pkexec was (as I understand it) always a hack to allow old admin
> tools which were not updated to keep working. I'm hoping a modern KDE
> install shouldn't have any of those any more.

I wouldn't be surprised if KDE still needs it in places. The only
reason Calamares doesn't need it, for example, is because it was
patched long ago to use kdesu because pkexec doesn't expose theming
variables on Fedora like it does on other distributions.

I would prefer to switch back to pkexec, but then Calamares looks
incredibly ugly...




--
真実はいつも一つ!/ Always, there's only one truth!
_______________________________________________
kde mailing list -- kde@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to kde-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/kde@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Index of Archives]     [KDE Users]     [Fedora General Discussion]     [Older Fedora Users Mail]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Maintainers]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Announce]     [Fedora Package Review]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Triage]     [Coolkey]     [Yum Users]     [Yosemite Forum]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]

  Powered by Linux