On Wed, 2022-02-16 at 13:55 -0500, Neal Gompa wrote: > On Wed, Feb 16, 2022 at 12:38 PM Lennart Poettering > <mzerqung@xxxxxxxxxxx> wrote: > > > > On Mi, 16.02.22 12:12, Ben Cotton (bcotton@xxxxxxxxxx) wrote: > > > > > `pkexec` and `pkla-compat` > > > ([https://src.fedoraproject.org/rpms/polkit-pkla-compat package]) are > > > legacy tools that are no longer needed on a desktop and increase the > > > attack surface as they are SetUID binaries (`pkexec`) or not > > > maintained anymore (`pkla-compat`). > > > > I find this wording weird... I seriously doubt we should consider > > "pkexec" legacy. It's the much nicer approach to the "sudo" problem, > > as mentioned in earlier discussions... > > > > Splitting it off into a separate package might be OK, but claiming > > that the fact that it is a suid binary makes it "legacy" sounds really > > strange to me, by that means we should also mark "sudo", "su", "ping", > > "mount", "umount", "write", "passwd", … and so on "legacy", but I > > doubt we are at that point, are we? > > > > hence I am not against the feature but please tone down the wording > > regarding pkexec, it's misleading. Say you want to split it out to > > reduce the attack surface, but don't use the word "legacy" in its > > context. > > > > (dropping "pkla-compat" given its unmaintained state is Ok to be > > called "legacy" i guess) > > > > I think I'd go stronger and say I don't really see the value in > splitting out pkexec at all. I'd rather people have a default path to > do safer privilege escalation, and pkexec is way better than > sudo/doas/etc in that regard. This feels a bit unrealistic to me. In the real world, I can recall off the top of my head exactly zero docs, guides, articles, howtos etc. that use pkexec. They all use sudo. Like it or not, sudo is what people use. The sensible thing to do there is devote attention to making sure sudo is as secure as possible, or actually make some kind of big effort to convince people to use pkexec instead. But just shipping pkexec as well as sudo by default is IMHO not helping anything, all it does is add unnecessary attack surface. I bet you could shoulder-surf for an entire weekend at Flock and not see a single person type 'pkexec'. I just tried this, actually, for giggles. Two reasons it's a non- starter: it prompts for the root password, not for my user password (my user is an 'admin' so far as sudo etc. are concerned, but apparently not an 'admin' so far as interactive pkexec is concerned). I do not know the root password, it is intentionally a 24-character random string I would have to look up. And it prompts with one of those goddamn 'secure' GNOME popovers which prevents you accessing your password manager, so every time you hit one, you have to cancel it, go to your password manager, copy the password it wants, then trigger it again. No way on earth I'm using that. -- Adam Williamson Fedora QA IRC: adamw | Twitter: adamw_ha https://www.happyassassin.net _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
