On Fr, 28.01.22 11:26, Adam Williamson (adamwill(a)fedoraproject.org) wrote:
On Fri, 2022-01-28 at 11:41 +0100, Lennart Poettering wrote:
>
> "pkexec" is a *short* program, it runs very little code with
> privileges actually. That makes it a *ton* better than the humungous
> code monster that "sudo" is. It has a smaller security footprint, and
> is easier to review than "sudo". That's worth a lot actually.
...and yet despite being so easy to review it somehow had a major
security vulnerability ever since it was written.
Yeah, but sudo is much worse, no? CVEs are a shitty metric, but afaik
the number of CVEs of sudo dwarves the CVEs of pkexec...
Anyway, my point is not really pkexec vs. sudo for interactive use,
but
whether pkexec is actually needed by default on all of our editions for
non-interactive use. It's not an easy question to answer since our
packaging doesn't distinguish between something needing *polkit* and
something needing *pkexec*. Though from what we've found in this
thread, it seems like at least GNOME and KDE definitely do still need
it. I'm not enough of a domain expert to know if it's realistic to
rewrite everything in GNOME and KDE that relies on pkexec to use a
different mechanism.
systemd's "ask-password" logic kinda pushes UI tools towards pkexec
too btw.
Lennart
--
Lennart Poettering, Berlin