Re: CVE-2021-4034: why is pkexec still a thing?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On 27.01.2022 00:21, Adam Williamson wrote:
Hi folks!

For anyone who hasn't seen it yet - there's quite a kerfuffle today
about a major security issue in polkit:

turns out that ever since it was invented, `pkexec` has had a bug
allowing for local root privilege escalation. Which is...bad.

The issue and some of the comments around it prompted me to wonder -
why is `pkexec` still a thing? Particularly, why is it still a thing we
are shipping by default in just about every Fedora install?

My best recollection is that pkexec was kinda a kludge to allow us to
get rid of consolehelper: some apps weren't getting rewritten to the
Right Way of doing things under policykit, they still just wanted to
have the entire app run as root, and pkexec was a way to make that

But that was then, and this is now. Does anything in Workstation use
pkexec? Does anything in KDE use it? I'm pretty sure (at least I really
hope!) nothing in Server uses it. I don't think any of our
well, a simple ag on /usr/{bin,sbin} show presence of pkexec in the following:
root@hal: ~ # ag -l pkexec /usr/bin/

root@hal: ~ # ag -l pkexec /usr/sbin/

so, while my desktop is a simple desktop and could be not representative
at least show some offending applications..


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

kde mailing list -- kde@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to kde-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct:
List Guidelines:
List Archives:
Do not reply to spam on the list, report it:

[Index of Archives]     [KDE Users]     [Fedora General Discussion]     [Older Fedora Users Mail]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Maintainers]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Announce]     [Fedora Package Review]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Triage]     [Coolkey]     [Yum Users]     [Yosemite Forum]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]

  Powered by Linux