Proposed F19 Feature: Usermode Migration
Kevin Kofler
kevin.kofler at chello.at
Tue Feb 12 03:06:45 UTC 2013
I wrote:
> I don't see why this misfeature was accepted for F18. It is entirely
> useless under this form. We need a feature to actually use PolicyKit the
> way it was intended, phasing out usermode, consolehelper, kdesu and pkexec
> all at once wherever it is possible. (Of course, if the feature to be
> implemented really is "let the user run app 'foo' as root", then using
> pkexec or kdesu is a suitable solution.)
Oops, I misspoke there. What I meant is: (Of course, if the feature to be
implemented really is "let the user run *a USER-SPECIFIED* app as root",
then using pkexec or kdesu is a suitable solution.)
If you are trying to run a SPECIFIC app, e.g. system-config-foo, as root,
then:
1. Even that could benefit from a more specific permission than
org.freedesktop.policykit.exec, unless your app allows executing arbitrary
code as root. AND
2. The problem is right there: running the whole app as root! That's NOT how
PolicyKit is designed to work. It's a very coarse-grained and inflexible
permission and you're running a lot more code as root than one needs to.
(But of course, implementing a fine-grained model needs to be done right or
the potential for abuse is even higher. E.g., you don't want a mechanism
that claims to configure something specific and in reality accepts an
arbitrary file to write to from the frontend, because then any user granted
that permission can trivially exploit that mechanism with a fake frontend.)
The whole point of PolicyKit was that you do NOT want to run the entire
frontend app as root as was done in the past.
Kevin Kofler
More information about the devel
mailing list