On Thu, 22 Nov 2012 21:52:30 +0000 Fons Adriaensen <fons@xxxxxxxxxxxxxx> wrote: > > The need to constantly review the source to work out exactly what > > polkit allows is my primary reason to disable it. > > What is your way to disable it once and for all ? Well I wouldn't say once and for all. In a link from a thread about /usr earlier this week I read of a Gentoo guy who has disabled all the kits and probably did it more properly by building packages without polkit support but I don't have time for that. I still keep an eye on it but simply removed the suid permissions from a few files and do so after polkit upgrades via the upgrade pacman wrapper scripts I already had. /bin/chmod -s /usr/lib/polkit-1/polkit-agent-helper /bin/chmod -s /usr/lib/dbus-1.0/dbus-daemon-launch-helper /bin/chmod -s /usr/bin/pkexec (I prefer sudo anyway) I tried to keep it as undrastic as possible without affecting dbus and so things like default power managers, but more subtle suid removal attempts failed. I imagine network manager is broken, but it hasn't bothered me yet, possibly never. It may be fine to simply prevent execution or dummy polkit but I didn't have time to investigate and worried about timeouts that dbus permission denied may be preventing. I did consider a block all permissions rule but figured if I don't need it then I don't want it running as root reinforced by my experience of the main developer and his blog showing implementing things without due consideration, peer review or management. My users haven't noticed so far anyway ;-)
