Hi Adam, also gvfs uses pkexec currently to start gvfsd-admin backend... Regards O. st 26. 1. 2022 v 23:39 odesílatel Adam Williamson <adamwill@xxxxxxxxxxxxxxxxx> napsal: > > Hi folks! > > For anyone who hasn't seen it yet - there's quite a kerfuffle today > about a major security issue in polkit: > > https://arstechnica.com/information-technology/2022/01/a-bug-lurking-for-12-years-gives-attackers-root-on-every-major-linux-distro/ > > turns out that ever since it was invented, `pkexec` has had a bug > allowing for local root privilege escalation. Which is...bad. > > The issue and some of the comments around it prompted me to wonder - > why is `pkexec` still a thing? Particularly, why is it still a thing we > are shipping by default in just about every Fedora install? > > My best recollection is that pkexec was kinda a kludge to allow us to > get rid of consolehelper: some apps weren't getting rewritten to the > Right Way of doing things under policykit, they still just wanted to > have the entire app run as root, and pkexec was a way to make that > happen. > > But that was then, and this is now. Does anything in Workstation use > pkexec? Does anything in KDE use it? I'm pretty sure (at least I really > hope!) nothing in Server uses it. I don't think any of our > documentation recommends its use for interactive execution of things as > root (these days we tend to just specify `sudo` for that and assume the > install has an admin user). > > Should we just split it out of the polkit package into a subpackage and > stop shipping the subpackage on those editions/spins at least? If > there's anything in other desktops still using it, it can grow a > dependency on the subpackage... > > Am I forgetting some other reason we still need it? > -- > Adam Williamson > Fedora QA > IRC: adamw | Twitter: adamw_ha > https://www.happyassassin.net > > _______________________________________________ > desktop mailing list -- desktop@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to desktop-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/desktop@xxxxxxxxxxxxxxxxxxxxxxx > Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure _______________________________________________ desktop mailing list -- desktop@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to desktop-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/desktop@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
