Hi folks! For anyone who hasn't seen it yet - there's quite a kerfuffle today about a major security issue in polkit: https://arstechnica.com/information-technology/2022/01/a-bug-lurking-for-12-years-gives-attackers-root-on-every-major-linux-distro/ turns out that ever since it was invented, `pkexec` has had a bug allowing for local root privilege escalation. Which is...bad. The issue and some of the comments around it prompted me to wonder - why is `pkexec` still a thing? Particularly, why is it still a thing we are shipping by default in just about every Fedora install? My best recollection is that pkexec was kinda a kludge to allow us to get rid of consolehelper: some apps weren't getting rewritten to the Right Way of doing things under policykit, they still just wanted to have the entire app run as root, and pkexec was a way to make that happen. But that was then, and this is now. Does anything in Workstation use pkexec? Does anything in KDE use it? I'm pretty sure (at least I really hope!) nothing in Server uses it. I don't think any of our documentation recommends its use for interactive execution of things as root (these days we tend to just specify `sudo` for that and assume the install has an admin user). Should we just split it out of the polkit package into a subpackage and stop shipping the subpackage on those editions/spins at least? If there's anything in other desktops still using it, it can grow a dependency on the subpackage... Am I forgetting some other reason we still need it? -- Adam Williamson Fedora QA IRC: adamw | Twitter: adamw_ha https://www.happyassassin.net _______________________________________________ desktop mailing list -- desktop@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to desktop-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/desktop@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure