Re: CVE-2021-4034: why is pkexec still a thing?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



* Lennart Poettering:

> I mean, polkit has some issues, but I am pretty sure that "pkexec" is
> not what I'd consider the big problem with it. Or to say this
> differently: the whole concept of tools like
> su/sudo/setpriv/runuser/suid binaries is questionnable: i.e. I am
> pretty sure we'd be better off if we would systematically prohibit
> acquiring privs through execve(), and instead focus on delegating
> privileged operations to IPC services — but of course that would be
> quite a departure from traditional UNIX.

One issue is that it's harder to prevent other users from doing execve
than it's denying them access to some IPC service.  In this sense, SUID
programs are more robust.

Thanks,
Florian
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux