Re: F37 Change: Make pkexec and pkla-compat optional (Self-Contained Change proposal)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On Wed, Feb 16, 2022 at 12:14 PM Ben Cotton <bcotton@xxxxxxxxxx> wrote:
https://fedoraproject.org/wiki/Changes/polkit_recommends_pkla_pkexec
[..]
`pkexec` and `pkla-compat`
([https://src.fedoraproject.org/rpms/polkit-pkla-compat package]) are
legacy tools that are no longer needed on a desktop and increase the
attack surface as they are SetUID binaries (`pkexec`) or not
maintained anymore (`pkla-compat`).

For pkexec, "no longer needed on a desktop" definitely does not reflect the situation for Fedora Workstation and GNOME. If you run:

 grep org.freedesktop.policykit.exec.path /usr/share/polkit-1/actions/*

there is considerable usage - there are config files using pkexec provided by, among others:

 gamemode, fedora-third-party, systemd, gnome-control-center, gnome-system-monitor, gnome-settings-daemon, gvfs, 

Would it be possible to rewrite all of the usage as D-Bus services? Yes - but it would be considerable work and risk of new bugs and regressions. (fedora-third-party is a recent addition by me - I considered not using pkexec and writing a service instead, but it seemed like extra work and complexity for little gain.)

If KDE or another desktop doesn't use pkexec, and there's a desire to split pkexec out in packaging and add explicit dependencies on it, I'm not opposed to that, but I don't think we should be calling pkexec legacy, and it would require considerable (upstream, not just Fedora) changes to remove the usage in Workstation.

- Owen

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux