Re: CVE-2021-4034: why is pkexec still a thing?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 27.01.2022 00:21, Adam Williamson wrote:
Hi folks!
Hi!

For anyone who hasn't seen it yet - there's quite a kerfuffle today
about a major security issue in polkit:

https://arstechnica.com/information-technology/2022/01/a-bug-lurking-for-12-years-gives-attackers-root-on-every-major-linux-distro/

turns out that ever since it was invented, `pkexec` has had a bug
allowing for local root privilege escalation. Which is...bad.

The issue and some of the comments around it prompted me to wonder -
why is `pkexec` still a thing? Particularly, why is it still a thing we
are shipping by default in just about every Fedora install?

My best recollection is that pkexec was kinda a kludge to allow us to
get rid of consolehelper: some apps weren't getting rewritten to the
Right Way of doing things under policykit, they still just wanted to
have the entire app run as root, and pkexec was a way to make that
happen.

But that was then, and this is now. Does anything in Workstation use
pkexec? Does anything in KDE use it? I'm pretty sure (at least I really
hope!) nothing in Server uses it. I don't think any of our
well, a simple ag on /usr/{bin,sbin} show presence of pkexec in the following:
root@hal: ~ # ag -l pkexec /usr/bin/
/usr/bin/lshw-gui
/usr/bin/usbview
/usr/bin/system-config-language
/usr/bin/gparted
/usr/bin/ettercap-pkexec
/usr/bin/gsmartcontrol-root
/usr/bin/x11docker

root@hal: ~ # ag -l pkexec /usr/sbin/
/usr/sbin/tuned-gui

so, while my desktop is a simple desktop and could be not representative
at least show some offending applications..

HTH,
Adrian

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
kde mailing list -- kde@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to kde-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/kde@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

[Index of Archives]     [KDE Users]     [Fedora General Discussion]     [Older Fedora Users Mail]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Maintainers]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Announce]     [Fedora Package Review]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Triage]     [Coolkey]     [Yum Users]     [Yosemite Forum]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]

  Powered by Linux