On Thu, Feb 17, 2022 at 2:28 PM Adam Williamson <adamwill@xxxxxxxxxxxxxxxxx> wrote:
On Wed, 2022-02-16 at 13:55 -0500, Neal Gompa wrote:
> On Wed, Feb 16, 2022 at 12:38 PM Lennart Poettering
> <mzerqung@xxxxxxxxxxx> wrote:
> >
> > On Mi, 16.02.22 12:12, Ben Cotton (bcotton@xxxxxxxxxx) wrote:
> >
> > > `pkexec` and `pkla-compat`
> > > ([https://src.fedoraproject.org/rpms/polkit-pkla-compat package]) are
> > > legacy tools that are no longer needed on a desktop and increase the
> > > attack surface as they are SetUID binaries (`pkexec`) or not
> > > maintained anymore (`pkla-compat`).
> >
> > I find this wording weird... I seriously doubt we should consider
> > "pkexec" legacy. It's the much nicer approach to the "sudo" problem,
> > as mentioned in earlier discussions...
> >
> > Splitting it off into a separate package might be OK, but claiming
> > that the fact that it is a suid binary makes it "legacy" sounds really
> > strange to me, by that means we should also mark "sudo", "su", "ping",
> > "mount", "umount", "write", "passwd", … and so on "legacy", but I
> > doubt we are at that point, are we?
> >
> > hence I am not against the feature but please tone down the wording
> > regarding pkexec, it's misleading. Say you want to split it out to
> > reduce the attack surface, but don't use the word "legacy" in its
> > context.
> >
> > (dropping "pkla-compat" given its unmaintained state is Ok to be
> > called "legacy" i guess)
> >
>
> I think I'd go stronger and say I don't really see the value in
> splitting out pkexec at all. I'd rather people have a default path to
> do safer privilege escalation, and pkexec is way better than
> sudo/doas/etc in that regard.
This feels a bit unrealistic to me. In the real world, I can recall off
the top of my head exactly zero docs, guides, articles, howtos etc.
that use pkexec. They all use sudo. Like it or not, sudo is what people
use. The sensible thing to do there is devote attention to making sure
sudo is as secure as possible, or actually make some kind of big effort
to convince people to use pkexec instead.
But just shipping pkexec as well as sudo by default is IMHO not helping
anything, all it does is add unnecessary attack surface. I bet you
could shoulder-surf for an entire weekend at Flock and not see a single
person type 'pkexec'.
Perhaps it actually works well that pkexec is used for "behind-the-scenes" privilege escalation, and sudo is what people are familiar with for interactive and sysadmin-configured use. PolKit and hence pkexec can make decisions on things that sudo doesn't have an idea about like the idea of "logged in at a graphical console", but they aren't really useful if you just want to quickly run a command as root with authentication.
I just tried this, actually, for giggles. Two reasons it's a non-
starter: it prompts for the root password, not for my user password (my
user is an 'admin' so far as sudo etc. are concerned, but apparently
not an 'admin' so far as interactive pkexec is concerned). I do not
know the root password, it is intentionally a 24-character random
string I would have to look up. And it prompts with one of those
goddamn 'secure' GNOME popovers which prevents you accessing your
password manager, so every time you hit one, you have to cancel it, go
to your password manager, copy the password it wants, then trigger it
again.
I think you misinterpreted the prompt. Assuming your user is in the wheel group:
"Authentication is needed to run '<x>' as the superuser'
Isn't asking for the root password, but rather your password to do something as root.
- Owen
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure