On Fr, 28.01.22 12:12, Florian Weimer (fweimer@xxxxxxxxxx) wrote: > * Lennart Poettering: > > > I mean, polkit has some issues, but I am pretty sure that "pkexec" is > > not what I'd consider the big problem with it. Or to say this > > differently: the whole concept of tools like > > su/sudo/setpriv/runuser/suid binaries is questionnable: i.e. I am > > pretty sure we'd be better off if we would systematically prohibit > > acquiring privs through execve(), and instead focus on delegating > > privileged operations to IPC services — but of course that would be > > quite a departure from traditional UNIX. > > One issue is that it's harder to prevent other users from doing execve > than it's denying them access to some IPC service. In this sense, SUID > programs are more robust. Well, that's precisely the problem that PK was supposed to address, but then it descended down the JS rabbit hole... Lennart -- Lennart Poettering, Berlin _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure