On 1/28/22 05:41, Lennart Poettering wrote:
On Mi, 26.01.22 14:21, Adam Williamson (adamwill(a)fedoraproject.org)
wrote:
> The issue and some of the comments around it prompted me to wonder -
> why is `pkexec` still a thing? Particularly, why is it still a thing we
> are shipping by default in just about every Fedora install?
I don't think there's too much wrong with pkexec. It's like sudo but
with a much smaller, tighter footprint, with a hookup to intractive UI
stuff. I am pretty sure many cases where sudo is used right now would
actually benefit from using pkexec instead.
I mean, polkit has some issues, but I am pretty sure that "pkexec" is
not what I'd consider the big problem with it. Or to say this
differently: the whole concept of tools like
su/sudo/setpriv/runuser/suid binaries is questionnable: i.e. I am
pretty sure we'd be better off if we would systematically prohibit
acquiring privs through execve(), and instead focus on delegating
privileged operations to IPC services — but of course that would be
quite a departure from traditional UNIX.
Agreed. With S_ISUID and S_ISGID, the default is to inherit the entire
(untrusted!) caller environment, and the privileged process must sanitize
it. With an IPC service, the default is to not inherit any of the
environment, and only parts of the environment that are specifically
set are passed on.
As an aside, can Linux and/or glibc please disallow passing a NULL
argv[0]? I would honestly be okay with glibc just crashing the process
during startup if argv[0] is NULL or empty.
--
Sincerely,
Demi Marie Obenour (she/her/hers)