On Wed, Feb 16, 2022 at 12:14 PM Ben Cotton <bcot...@redhat.com> wrote:
> https://fedoraproject.org/wiki/Changes/polkit_recommends_pkla_pkexec > [..] > `pkexec` and `pkla-compat` > ([https://src.fedoraproject.org/rpms/polkit-pkla-compat package]) are > legacy tools that are no longer needed on a desktop and increase the > attack surface as they are SetUID binaries (`pkexec`) or not > maintained anymore (`pkla-compat`). For pkexec, "no longer needed on a desktop" definitely does not reflect the situation for Fedora Workstation and GNOME. If you run: grep org.freedesktop.policykit.exec.path /usr/share/polkit-1/actions/* there is considerable usage - there are config files using pkexec provided by, among others: gamemode, fedora-third-party, systemd, gnome-control-center, gnome-system-monitor, gnome-settings-daemon, gvfs, Would it be possible to rewrite all of the usage as D-Bus services? Yes - but it would be considerable work and risk of new bugs and regressions. (fedora-third-party is a recent addition by me - I considered not using pkexec and writing a service instead, but it seemed like extra work and complexity for little gain.) If KDE or another desktop doesn't use pkexec, and there's a desire to split pkexec out in packaging and add explicit dependencies on it, I'm not opposed to that, but I don't think we should be calling pkexec legacy, and it would require considerable (upstream, not just Fedora) changes to remove the usage in Workstation. - Owen
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
