Fedora and pkexec
The nasty vulnerability in pkexec has been rippling through the Linux world, leading to lots of security updates to the underlying polkit authorization toolkit. It also led to a recent discussion on the Fedora devel mailing list about whether pkexec, which runs a program as another user, is actually needed—or wanted—in some or all of the distribution's editions. But pkexec is used by quite a few different Fedora components, particularly in desktop-oriented editions, and it could perhaps be a better choice than the alternatives for running programs with the privileges of another user.
Adam Williamson raised the issue on the day after the disclosure of the PwnKit flaw. It is, as he noted, a longstanding (since the first version of pkexec in 2009) local root privilege escalation. That started him thinking:
The issue and some of the comments around it prompted me to wonder - why is `pkexec` still a thing? Particularly, why is it still a thing we are shipping by default in just about every Fedora install?My best recollection is that pkexec was kinda a kludge to allow us to get rid of consolehelper: some apps weren't getting rewritten to the Right Way of doing things under policykit, they still just wanted to have the entire app run as root, and pkexec was a way to make that happen.
consolehelper is another program that allows users to run code as other users, while PolicyKit is a former name for polkit. Back in 2013, the Fedora Usermode Migration feature targeted moving all users of consolehelper to polkit. Williamson wondered which parts of Fedora still needed pkexec at this point (given its "kludge" status). But, since it is included in the polkit package, which is used far more widely, perhaps pkexec could be split out into a sub-package that would only be installed where that piece is actually needed, he suggested.
In a followup
message, Williamson noted that the bug ticket
for the Usermode Migration showed that it had not been completed. There
are still 15 packages in Fedora that require consolehelper. Peter Robinson said
that most of those "appear to be legacy
" packages that should
not be in general use.
Michael J Gruber jokingly asked if he should switch his package away from pkexec and back to using the consolehelper-based beesu wrapper for the su command since beesu still exists in Fedora. But Williamson said that is not his point at all:
The issue is not that pkexec is inherently worse than any other tool to do approximately the same thing (prompt for some kind of password, then run the entire app as root) - it's unfortunate that pkexec happened to have a giant security flaw, but it's not unlikely that other tools to do the same thing will turn out to have security flaws if someone decides to take a close look at them. The issue is that *that whole design* is suboptimal.
The idea was that applications would move to using the other mechanisms
provided by polkit in order to do their privileged operations, he said.
For applications that will not make that transition, pkexec was a
"less-good second choice option
" to allow them to continue to
work. Removing consolehelper was meant to reduce the number of
"run things as root" tools that the distribution needed to pay attention
to, though that has not ever fully been completed. "Switching from
pkexec to any other 'run-this-thing-as-root' tool
would not be an improvement.
"
If you are going to run programs as root anyway, though, pkexec is probably better than using sudo or other options, Lennart Poettering said. pkexec already uses the polkit interprocess communication (IPC) mechanism to request running a binary as root, which is a superior model in his mind:
I mean, polkit has some issues, but I am pretty sure that "pkexec" is not what I'd consider the big problem with it. Or to say this differently: the whole concept of tools like su/sudo/setpriv/runuser/suid binaries is [questionable]: i.e. I am pretty sure we'd be better off if we would systematically prohibit acquiring privs through execve(), and instead focus on delegating privileged operations to IPC services — but of course that would be quite a departure from traditional UNIX.[...] "pkexec" is a *short* program, it runs very little code with privileges actually. That makes it a *ton* better than the [humongous] code monster that "sudo" is. It has a smaller security footprint, and is easier to review than "sudo". That's worth a lot actually.
But Sam Varshavchik objected to the idea that moving the privileged operation to the other end of an IPC mechanism, such as a socket, really would solve the underlying problem. Having programs that run as root, which have bugs, is actually the problem at hand:
The same bug that's exploitable in a suid [or setuid] binary will also be exploitable, exactly the same way, in its suid-less equivalent. If you have a buffer overrun in a suid binary as a result of carefully-crafted command-line parameters or environment, then if you replace the suid binary with an identical bug-for-bug implementation that uses a socket to carefully pass along the same environment or parameters to a native root binary, and the buffer overrun is the same, guess what: you still have the same exploit.suid is not the problem. An execved program will inherit the environment, some open file descriptors, and maybe a few other things that a standalone daemon that accepted a socket connection does not have. But that's what most exploits leverage, so cleaning up the environment and open file descriptors would remedy that. It will take some effort to exploit whatever remains.
Poettering did not see things that way, however. There is an enormous amount of state that comes along for the ride when executing a setuid binary, and that state is growing over time:
The thing with setuid/setgid is that the invoked privileged process inherits a lot of implicit state and context that people aren't really aware of or fully understand. i.e. it's not just env vars and argv[], it's cgroup memberships, audit fields, security contexts, open fds, child pids, parent pids, cpu masks, IO/CPU scheduling priorities, various prctl() settings, tty control, signal masks + handlers, … and so on. And it's not even clear what gets inherited as many of these process properties are added all the time.If you do privileged execution of specific operations via IPC you get the guarantee that whatever is done, is done from a well-defined, pristine execution environment, without leaking context implicitly. The IPC message is the *full* vulnerable surface, and that's as minimal as it can get. And that's great.
While all of that context and state is present for the setuid program, the underlying problem is in the program itself, Varshavchik said:
And none of that makes any difference, whatsoever, unless there's also an underlying logical bug in the code itself. And that's going to be the real problem. So then, question becomes, how many exploits leveraged any of these exotic resources, like cgroup members, tty control, and all of those other fringe attributes? I suppose there might've been a few, but I can't recall many. On the other hand, exploits that accomplish execve("/bin/bash") would work equally well, given the same underlying bug in the root daemon, that's triggerable via its front end, or in a suid program. A sanitized environment won't be much of a help.
But sanitizing the environment fully is difficult or impossible to do for the setuid program, Poettering said. There are a number of interacting attributes that are under the control of the caller (read attacker) of the setuid binary—and that number keeps increasing:
You might *hope* that there was no bug introduced through the interaction of all that code, but the point I am making is that "struct task" and associated objects in kernel get extended all the time, and suid programs that didn't expect these additions will be exposed to them, and cannot sanely reset them even if they wanted, since typically developers cannot look into the future (and the cgroup stuff cannot even be reset reasonably at all).
Varshavchik wanted
"hard data
" on the kinds of vulnerabilities being envisioned
here. He and Poettering went back and forth about what constituted said
data, without coming to any real agreement. Poettering ended his
participation in that sub-thread by noting that he understands "your
love [for] suid and sudo
" but that he and others consider them to be
"a very bad
idea
". For his part, Varshavchik is not
particularly enamored with those mechanisms:
I love suid and sudo no more, no less, and exactly the same as I love my screwdriver. I'm married to neither. Both are just tools. Both can be used, by people, correctly. Both can be used also, by people, incorrectly. But it makes no sense to use that as a reason for replacing screwdrivers with wrenches.
Demi Marie Obenour suggested
that the state information that gets inherited by a setuid binary should be
chosen by that binary: "State inheritance definitely should be opt-in, with the possible
exception of certain audit data such as the audit user ID.
" Steve
Grubb, who works on the Linux audit
system, said that auditing relies on binaries inheriting security
contexts and audit information, so the existing polkit mechanisms fall
short. Had a kernel mechanism, like kdbus, been adopted, that problem would
have been
avoided. As it stands, polkit "doesn't satisfy our security
requirements
":
[...] it's impossible to reason about what's allowed and what's not because the policy is free-form javascript rather than assignments that can be checked by any configuration scanners. And access decisions do not go through the audit system. So, we really have little insight into access control and information flows from anything using IPC started applications.Setuid may be distasteful to some people. But it's properties are well known and its fully plumbed to make some assurance arguments about the platform.
He was not alone in complaining about polkit's JavaScript configuration mechanism, as that is seen as something of poor design decision by many. Meanwhile, Andrew Lutomirski said that getting an in-kernel IPC mechanism is a difficult problem; he had some thoughts on setuid as well:
I would love to see a nice security model for IPC in the Linux kernel, but I haven't seen a credible proposal. This problem is *hard*.As for setuid, I'm strongly of the opinion that setuid was and remains a mistake. Executing a process should never add privileges.
Circling back to his original message, Williamson noted
that the thread made it clear that pkexec is currently needed by
at least some of the desktop editions/spins of Fedora, though: "It's not an
easy question to answer since our
packaging doesn't distinguish between something needing *polkit* and
something needing *pkexec*.
" Fedora project leader Matthew Miller
thought
that at least could be changed: "I wonder if a first step might be
to split out pkexec into a subpackage, and
then gradually remove requirements on it.
"
That's where things stand at this point. Pulling pkexec out into its own package seems like a good plan, regardless of whether it should slowly be removed from use or not; it will make tracking which other packages use it that much easier should another vulnerability arise. A longer-term shift toward more—or exclusively—polkit-style privilege enhancement may not necessarily be in the offing. The consensus on that path is not entirely clear and it is also an area where the distribution does not want to see a lot of churn—at least without a lot of code review to go with it.
As with most (all?) vulnerabilities, the real culprit is the lack of focused security review of code. For setuid binaries and other code that runs as root, that review is imperative, but it is far from clear that a huge amount of it is being done. Every time another widespread vulnerability crops up we get reminded of that, but the impact seems to fade rather quickly and things return to "normal". That is a rather worrisome state of affairs.
| Index entries for this article | |
|---|---|
| Security | Distribution security |
Posted Feb 2, 2022 22:29 UTC (Wed)
by ejr (subscriber, #51652)
[Link] (4 responses)
And I suppose userv has/had the same issues? At some point, sending unclass messages to a server that reviews them kinda is the way.
Posted Feb 3, 2022 0:16 UTC (Thu)
by bartoc (guest, #124262)
[Link] (3 responses)
Does fedora's current selinux policy allow (for example) httpd to execute pkexec (or sudo)?
Posted Feb 3, 2022 8:23 UTC (Thu)
by pbonzini (subscriber, #60935)
[Link]
Posted Feb 7, 2022 3:45 UTC (Mon)
by flussence (guest, #85566)
[Link] (1 responses)
Posted Feb 8, 2022 8:09 UTC (Tue)
by bartoc (guest, #124262)
[Link]
For things that are less general than pkexec/sudo something like selinux can reduce them from "full suid" a little bit.
And yeah, SELinux is absolutely (and always) a bandage rather than a cure. It's a defense in depth measure. It can do a good job stopping the bleeding though.
Posted Feb 2, 2022 22:31 UTC (Wed)
by smcv (subscriber, #53363)
[Link] (2 responses)
I think that makes sense, and I'm looking at doing exactly that in Debian. That way, only systems that actually need pkexec (either because the sysadmin wants to be able to run it, or because another installed package relies on it) have to pay the attack-surface cost of having one more setuid executable.
Some of polkit's past CVEs have been vulnerabilities in its core functionality (briefly: replying to IPC requests "foo has asked me to do bar, is that OK?" with a yes or no), and not installing pkexec would not do anything to solve those; but some of its past CVEs (notably CVE-2021-4034) have been pkexec being insufficiently paranoid in the face of a hostile execution environment, and those are easy to mitigate by not having pkexec on systems that don't need it.
> The thing with setuid/setgid is that the invoked privileged process inherits a lot of implicit state and context that people aren't really aware of or fully understand. i.e. it's not just env vars and argv[], it's cgroup memberships, audit fields, security contexts, open fds, child pids, parent pids, cpu masks, IO/CPU scheduling priorities, various prctl() settings, tty control, signal masks + handlers, … and so on. And it's not even clear what gets inherited as many of these process properties are added all the time.
100% this. pkexec is a relatively small program, which has been presumably looked at by lots of security-conscious people; it makes sure to avoid the obvious, well-known setuid traps, like clearing its environment variables before calling into "big" libraries; and yet it had this recent vulnerability, presumably because it didn't occur to any of its maintainers, packagers or auditors that lower-level components (kernel and ld.so) would allow a process - particularly an AT_SECURE process! - to enter main() with argc == 0.
Posted Feb 3, 2022 9:08 UTC (Thu)
by taladar (subscriber, #68407)
[Link] (1 responses)
Posted Feb 3, 2022 16:29 UTC (Thu)
by gnu_lorien (subscriber, #44036)
[Link]
I know when I read that a program is 100% self-contained I wonder, "what common thing did they mess up?" I know that others see this as a bonus feature all unto itself.
Posted Feb 3, 2022 7:22 UTC (Thu)
by eru (subscriber, #2753)
[Link] (3 responses)
Posted Feb 3, 2022 8:13 UTC (Thu)
by NYKevin (subscriber, #129325)
[Link] (2 responses)
(If you want something that works in a distributed/multi-node setup, then you have to use signatures and certificates. This requires solving a number of PKI-related problems, which are difficult but not insurmountable for an organization of reasonable means. Fortunately, polkit mostly doesn't get deployed in that fashion, to the best of my understanding.)
Posted Feb 3, 2022 14:30 UTC (Thu)
by eru (subscriber, #2753)
[Link]
Posted Feb 7, 2022 7:41 UTC (Mon)
by joib (subscriber, #8541)
[Link]
Posted Feb 3, 2022 9:40 UTC (Thu)
by larkey (guest, #104463)
[Link] (1 responses)
1. Split polkit & pkexec
Further, either
a) move an increasing amount of stuff from sudo to pkexec (or even build a drop-in binary with a one-time translation of sudoers to policykit rules); or
(a) seems more likely to happen, I think.
Posted Feb 3, 2022 10:52 UTC (Thu)
by pabs (subscriber, #43278)
[Link]
Posted Feb 3, 2022 10:20 UTC (Thu)
by cortana (subscriber, #24596)
[Link] (10 responses)
On Debian (and derived distributions I guess) an older version of Polkit is shipped, which still uses the old 'pklocalauthority' where policy is written in static INI-like format, but you're limited to matching on properties like "is the requester a given user", "is the requester in a group*", "is the requster on an active console session", etc.
I go back and forward on whether this is good or not. The fragmentation between the Red Hat and Debian worlds here is aggravating. But the static policy is easier to understand!
* which it does in a broken way (upstream bug) that doesn't work in large installations, precisely the sort of installations that would like to use Polkit to control policy, argh!
Posted Feb 3, 2022 23:07 UTC (Thu)
by mchapman (subscriber, #66589)
[Link] (3 responses)
I'm wondering if Debian doesn't use a newer polkit simply because they object to using JS (or perhaps the old mozjs library?) in a security-sensitive context.
Posted Feb 4, 2022 17:59 UTC (Fri)
by cortana (subscriber, #24596)
[Link] (2 responses)
I wish the reason was documented in the package's README.Debian file...
Posted Feb 5, 2022 22:00 UTC (Sat)
by khim (subscriber, #9252)
[Link] (1 responses)
Firefox, like Chrome, doesn't trust it's renderers and sandboxes mozjs for a reason. Polkit does the exact opposite.
Posted Feb 6, 2022 4:42 UTC (Sun)
by mjg59 (subscriber, #23239)
[Link]
Posted Feb 4, 2022 7:01 UTC (Fri)
by zdzichu (subscriber, #17118)
[Link] (5 responses)
Posted Feb 4, 2022 10:19 UTC (Fri)
by smcv (subscriber, #53363)
[Link]
For example, when the privileged service asking for authorization is systemd, the domain-specific extra information can include a systemd unit name, as used in your example rules.
Posted Feb 4, 2022 11:00 UTC (Fri)
by gioele (subscriber, #61675)
[Link] (1 responses)
Posted Feb 15, 2022 15:51 UTC (Tue)
by sammythesnake (guest, #17693)
[Link]
It took me a while to find the (hopefully) right "CEL" - it doesn't appear to be on acronym finder or Wikipedia which usually find these things for me, so I thought out might be useful for others similarly out of the loop :-P
Posted Feb 4, 2022 22:09 UTC (Fri)
by NYKevin (subscriber, #129325)
[Link] (1 responses)
Reference: https://developer.mozilla.org/en-US/docs/Web/JavaScript/E...
Posted Feb 19, 2022 12:13 UTC (Sat)
by cortana (subscriber, #24596)
[Link]
Posted Feb 3, 2022 11:37 UTC (Thu)
by pothos (subscriber, #116075)
[Link]
Posted Feb 12, 2022 21:47 UTC (Sat)
by CodingVoid (guest, #156336)
[Link] (14 responses)
I couldn't agree more. I personally don't understand why one would even need polkit in the first place. I just don't see the advantages compared to traditional Unix Permissions. Compared to polkit (which uses DBus, which in turn uses Unix Sockets), I think it is simpler and more secure to just write a program with standard unix permissions in mind. If I need to use privileged system calls I just use capabilities. If I need to access some files owned by root, I add my user and the file to a Unix Group (maybe even ACL). If I end up needing some kind of authentication, I would probably use a PAM module. Using polkit I feel like making my System unnecessarily more complex instead of making it more secure. Although I have to admit I don't have much experience using polkit, so I can't say which advantages it has over traditional Unix ways.
Posted Feb 13, 2022 0:34 UTC (Sun)
by mjg59 (subscriber, #23239)
[Link] (13 responses)
How do traditional Unix permissions encode things like "Is this user currently logged in at a physical console"? One approach would be to add them to a group when they log in - but then they can create a sgid binary that would allow them to retain access. You could have an acl on the socket and add them to that for the duration of their login period, but then we're already outside traditional Unix permissions and also they could just open the socket with a process that survives them logging out, and given there's no revoke() syscall in Linux you can't take that away from them.
There are policy decisions you want to make that rely on the current state of a user, and filesystem permissions (traditional or ACL-based) don't give a mechanism to enforce that.
Posted Feb 13, 2022 12:28 UTC (Sun)
by CodingVoid (guest, #156336)
[Link] (6 responses)
I thought that's what the utmp file is for. The login program as well as ssh login write in these. In case of an remote login via SSH, there is an ip address in the utmp line.
Posted Feb 13, 2022 16:45 UTC (Sun)
by mjg59 (subscriber, #23239)
[Link] (5 responses)
Posted Feb 16, 2022 14:42 UTC (Wed)
by CodingVoid (guest, #156336)
[Link] (4 responses)
Posted Feb 16, 2022 17:25 UTC (Wed)
by mathstuf (subscriber, #69389)
[Link] (3 responses)
As someone who would like their program to be more robust, not having to load in arbitrary code into my process space makes me feel a lot better. Loading PAM or NSS plugins to do things on my behalf sounds a lot worse when they can take my process down instead of giving me back an error that I can explicitly handle. Some PAM plugins don't even work as intended because their configuration files aren't world-readable, so a separate process is just a better way with them.
Additionally, if one is running something like WINE or other architectures (QEMU or whatever), there can be more sharing of permissions instead of having to figure out how to make them load compatible plugins/configurations as well.
There are tradeoffs, but given that `dlopen` can just run arbitrary code, I don't like it for "must not fail" processes at all. Sure, you can also link to these libraries at build time, but "loading libraries" is usually done in languages with…sad package management.
Posted Feb 18, 2022 11:01 UTC (Fri)
by CodingVoid (guest, #156336)
[Link] (2 responses)
> Additionally, if one is running something like WINE or other architectures (QEMU or whatever), there can be more sharing of permissions instead of having to figure out how to make them load compatible plugins/configurations as well.
> Sure, you can also link to these libraries at build time, but "loading libraries" is usually done in languages with…sad package management.
Posted Feb 18, 2022 11:29 UTC (Fri)
by farnz (subscriber, #17727)
[Link]
As an example of where the local process over UNIX Domain Sockets approach is strictly better than the library approach: there are ways to authenticate via a remote RADIUS server where I use machine secrets to establish an encrypted session with the remote server, and then send the user's credentials over that tunnel. If you do this via a library, then all processes on the system that need to authenticate need to be able to read the machine secrets, which implies that the machine secrets are world-readable. If, instead, you use a local process over a socket, that process can run as root, and the machine secrets need only be readable by root.
Posted Feb 18, 2022 18:08 UTC (Fri)
by mathstuf (subscriber, #69389)
[Link]
Badly written libraries are everywhere. Even so, it misses the case where the process doing the check needs higher permissions to be able to read some configuration file. Running every PAM-using process as `suid` on the off-chance a configuration file is not world-readable sounds like a terrible solution.
> Could you be more specific? Who shares permissions with whom in that example?
Instead of having to have a way for a WINE process to load a PAM module to be able to check a password, you can implement "talk to a socket" without having to port some (typically very-Unixy) code over to Windows-isms. Rather, you just implement "list users" and "authenticate this user" APIs in terms of socket communication which sounds…way nicer IMO.
> I don't really follow. Could you explain?
C and C++ have terrible package management. How to use package $x differs based on the build system you use as well as the project you would like to consume. Alas, solving this is *hard* because C and C++ developers have gotten accustomed to all the power that "make my own command line" offers.
Now, any C or C++-specific way that goes down a similar path as Python's PyPI, Rust's cargo, or Node's NPM will have the issues of those ecosystems: that using any interface that is not the language under consideration is extremely hard. Sure `pip install h5py` works, but if I have another library that wants to use HDF5's C interfaces, I'm SOL because `pip` has no way for such a thing to be offered or expressed as a strict enough dependency that ABI considerations require. NumPy is the only one that does it well and that's because it is *only* a Python package, not another package being stuffed into the Python world.
Posted Feb 14, 2022 11:15 UTC (Mon)
by cortana (subscriber, #24596)
[Link]
You could have an acl on the socket and add them to that for the duration of their login period, but then we're already outside traditional Unix permissions and also they could just open the socket with a process that survives them logging out, and given there's no revoke() syscall in Linux you can't take that away from them. As an aside, I have always wondered if the way udev grants console users access to I presume that if I lock my screen, my processes will still have access to the audio/video devices and I could use them to spy on the next user who logs in...
Posted Feb 16, 2022 19:11 UTC (Wed)
by flussence (guest, #85566)
[Link] (1 responses)
I really wish the answer was as simple as `fuser -u /dev/tty* | grep $USER`. It isn't, because X, but it could've been. Doesn't even have to be a device file.
Posted Feb 17, 2022 2:12 UTC (Thu)
by mjg59 (subscriber, #23239)
[Link]
Posted Feb 17, 2022 20:14 UTC (Thu)
by nix (subscriber, #2304)
[Link] (1 responses)
I have long wondered why the ability to do this as a regular user didn't go away at the same time as the ability to give away things with chown as a regular user. They seem to enable the same sort of evasive behaviour...
Posted Feb 18, 2022 10:38 UTC (Fri)
by farnz (subscriber, #17727)
[Link]
That change happened in the days when systems were relatively static compared to today's setups. So your groups vector would be the same whether you were logged in or not, and thus a SGID binary wouldn't elevate your permissions; you could only use it as a way to elevate someone else to your permissions.
In contrast, giving away files to someone else is a hole in the world where everything's static; it lets you claim their quota, for a start.
Posted Feb 18, 2022 14:09 UTC (Fri)
by cortana (subscriber, #24596)
[Link]
Another case where we could have learned from Windows. Handwaving a bit here but I believe you can create an ACE for S-1-2-1 ("Console logon"), which will be present in the token of all processes started by a user with a physical console logon session.
(I've no idea how this handles revocation).
Fedora and pkexec
Fedora and pkexec
Fedora and pkexec
Fedora and pkexec
Fedora and pkexec
Fedora and pkexec
Fedora and pkexec
Fedora and pkexec
- Small LOC with less external dependencies are more secure
- Libraries can be used to encapsulate and require security practices
Fedora and pkexec
Fedora and pkexec
Fedora and pkexec
Fedora and pkexec
Fedora and pkexec
2. Have polkit rules be more sane
b) make a suid replacement mechanism with opt-in state?
Fedora and pkexec
Fedora and pkexec
because the policy is free-form javascript rather than assignments that can be checked by any configuration scanners
Fedora and pkexec
Fedora and pkexec
Fedora and pkexec
Fedora and pkexec
Looking at my polkit rules, I have stuff like “allow smart home system (running as unprivileged user) to start specific services” which translates to something like:
Fedora and pkexec
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.systemd1.manage-units") {
var unit = action.lookup("unit");
if (unit == "toggle-bcache@writethrough.service" ||
unit == "toggle-bcache@writearound.service" ||
unit == "toggle-bcache@writeback.service") {
var verb = action.lookup("verb");
if (verb == "start" && subject.user == "openhab" ) {
return polkit.Result.YES;
}
}
}
});
How to express that in previous INI-language? I doubt it's possible.
Fedora and pkexec
Fedora and pkexec
Fedora and pkexec
Fedora and pkexec
Fedora and pkexec
Fedora and pkexec
Fedora and pkexec
Fedora and pkexec
Fedora and pkexec
Fedora and pkexec
Fedora and pkexec
I guess the root of the problem resides in the fact, that one needs to communicate with a daemon/priviledged process in the first case. First thing I do on my personal system, after installing my distribution of choice is disable/mask 80% of all systemd services/timers/sockets (of course I check whether I need the services features before disabling).
I guess it's all personal preference and all but I am more into using libraries instead of having 10 socket connections to some priviledged daemons, which do the stuff for me.
Fedora and pkexec
Fedora and pkexec
But then the problem resides in the libraries itself. reading that it sounds like polkit is just 'patch' for bad written libraries.
Could you be more specific? Who shares permissions with whom in that example?
I don't really follow. Could you explain?
Fedora and pkexec
Fedora and pkexec
Fedora and pkexec
uaccess-tagged devices is vulnerable to this problem.
$ getfacl -p /dev/snd/pcmC0D0p
# file: /dev/snd/pcmC0D0p
# owner: root
# group: audio
user::rw-
user:sam:rw-
group::rw-
mask::rw-
other::---
Fedora and pkexec
Fedora and pkexec
Fedora and pkexec
Fedora and pkexec
Fedora and pkexec