Re: CVE-2021-4034: why is pkexec still a thing?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fr, 28.01.22 11:26, Adam Williamson (adamwill@xxxxxxxxxxxxxxxxx) wrote:

> On Fri, 2022-01-28 at 11:41 +0100, Lennart Poettering wrote:
> >
> > "pkexec" is a *short* program, it runs very little code with
> > privileges actually. That makes it a *ton* better than the humungous
> > code monster that "sudo" is. It has a smaller security footprint, and
> > is easier to review than "sudo". That's worth a lot actually.
>
> ...and yet despite being so easy to review it somehow had a major
> security vulnerability ever since it was written.

Yeah, but sudo is much worse, no? CVEs are a shitty metric, but afaik
the number of CVEs of sudo dwarves the CVEs of pkexec...

> Anyway, my point is not really pkexec vs. sudo for interactive use, but
> whether pkexec is actually needed by default on all of our editions for
> non-interactive use. It's not an easy question to answer since our
> packaging doesn't distinguish between something needing *polkit* and
> something needing *pkexec*. Though from what we've found in this
> thread, it seems like at least GNOME and KDE definitely do still need
> it. I'm not enough of a domain expert to know if it's realistic to
> rewrite everything in GNOME and KDE that relies on pkexec to use a
> different mechanism.

systemd's "ask-password" logic kinda pushes UI tools towards pkexec
too btw.

Lennart

--
Lennart Poettering, Berlin
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux