On Wed, Feb 16, 2022 at 12:14 PM Ben Cotton <bcotton@xxxxxxxxxx> wrote:
https://fedoraproject.org/wiki/Changes/polkit_recommends_pkla_pkexec
[..]
`pkexec` and `pkla-compat`
([https://src.fedoraproject.org/rpms/polkit-pkla-compat package]) are
legacy tools that are no longer needed on a desktop and increase the
attack surface as they are SetUID binaries (`pkexec`) or not
maintained anymore (`pkla-compat`).
For pkexec, "no longer needed on a desktop" definitely does not reflect the situation for Fedora Workstation and GNOME. If you run:
grep org.freedesktop.policykit.exec.path /usr/share/polkit-1/actions/*
there is considerable usage - there are config files using pkexec provided by, among others:
gamemode, fedora-third-party, systemd, gnome-control-center, gnome-system-monitor, gnome-settings-daemon, gvfs,
Would it be possible to rewrite all of the usage as D-Bus services? Yes - but it would be considerable work and risk of new bugs and regressions. (fedora-third-party is a recent addition by me - I considered not using pkexec and writing a service instead, but it seemed like extra work and complexity for little gain.)
If KDE or another desktop doesn't use pkexec, and there's a desire to split pkexec out in packaging and add explicit dependencies on it, I'm not opposed to that, but I don't think we should be calling pkexec legacy, and it would require considerable (upstream, not just Fedora) changes to remove the usage in Workstation.
- Owen
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
