On Thu, Feb 17, 2022 at 2:28 PM Adam Williamson <adamw...@fedoraproject.org> wrote:
> On Wed, 2022-02-16 at 13:55 -0500, Neal Gompa wrote: > > On Wed, Feb 16, 2022 at 12:38 PM Lennart Poettering > > <mzerq...@0pointer.de> wrote: > > > > > > On Mi, 16.02.22 12:12, Ben Cotton (bcot...@redhat.com) wrote: > > > > > > > `pkexec` and `pkla-compat` > > > > ([https://src.fedoraproject.org/rpms/polkit-pkla-compat package]) > are > > > > legacy tools that are no longer needed on a desktop and increase the > > > > attack surface as they are SetUID binaries (`pkexec`) or not > > > > maintained anymore (`pkla-compat`). > > > > > > I find this wording weird... I seriously doubt we should consider > > > "pkexec" legacy. It's the much nicer approach to the "sudo" problem, > > > as mentioned in earlier discussions... > > > > > > Splitting it off into a separate package might be OK, but claiming > > > that the fact that it is a suid binary makes it "legacy" sounds really > > > strange to me, by that means we should also mark "sudo", "su", "ping", > > > "mount", "umount", "write", "passwd", … and so on "legacy", but I > > > doubt we are at that point, are we? > > > > > > hence I am not against the feature but please tone down the wording > > > regarding pkexec, it's misleading. Say you want to split it out to > > > reduce the attack surface, but don't use the word "legacy" in its > > > context. > > > > > > (dropping "pkla-compat" given its unmaintained state is Ok to be > > > called "legacy" i guess) > > > > > > > I think I'd go stronger and say I don't really see the value in > > splitting out pkexec at all. I'd rather people have a default path to > > do safer privilege escalation, and pkexec is way better than > > sudo/doas/etc in that regard. > > This feels a bit unrealistic to me. In the real world, I can recall off > the top of my head exactly zero docs, guides, articles, howtos etc. > that use pkexec. They all use sudo. Like it or not, sudo is what people > use. The sensible thing to do there is devote attention to making sure > sudo is as secure as possible, or actually make some kind of big effort > to convince people to use pkexec instead. > > But just shipping pkexec as well as sudo by default is IMHO not helping > anything, all it does is add unnecessary attack surface. I bet you > could shoulder-surf for an entire weekend at Flock and not see a single > person type 'pkexec'. > Perhaps it actually works well that pkexec is used for "behind-the-scenes" privilege escalation, and sudo is what people are familiar with for interactive and sysadmin-configured use. PolKit and hence pkexec can make decisions on things that sudo doesn't have an idea about like the idea of "logged in at a graphical console", but they aren't really useful if you just want to quickly run a command as root with authentication. I just tried this, actually, for giggles. Two reasons it's a non- > starter: it prompts for the root password, not for my user password (my > user is an 'admin' so far as sudo etc. are concerned, but apparently > not an 'admin' so far as interactive pkexec is concerned). I do not > know the root password, it is intentionally a 24-character random > string I would have to look up. And it prompts with one of those > goddamn 'secure' GNOME popovers which prevents you accessing your > password manager, so every time you hit one, you have to cancel it, go > to your password manager, copy the password it wants, then trigger it > again. > I think you misinterpreted the prompt. Assuming your user is in the wheel group: "Authentication is needed to run '<x>' as the superuser' Isn't asking for the root password, but rather your password to do something as root. - Owen
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
