On Fri, 2022-01-28 at 11:41 +0100, Lennart Poettering wrote:
"pkexec" is a *short* program, it runs very little code with
privileges actually. That makes it a *ton* better than the humungous
code monster that "sudo" is. It has a smaller security footprint, and
is easier to review than "sudo". That's worth a lot actually.
...and yet despite being so easy to review it somehow had a major
security vulnerability ever since it was written.
Anyway, my point is not really pkexec vs. sudo for interactive use, but
whether pkexec is actually needed by default on all of our editions for
non-interactive use. It's not an easy question to answer since our
packaging doesn't distinguish between something needing *polkit* and
something needing *pkexec*. Though from what we've found in this
thread, it seems like at least GNOME and KDE definitely do still need
it. I'm not enough of a domain expert to know if it's realistic to
rewrite everything in GNOME and KDE that relies on pkexec to use a
different mechanism.
--
Adam Williamson
Fedora QA
IRC: adamw | Twitter: adamw_ha
https://www.happyassassin.net