|
|
Subscribe / Log in / New account

Fedora and pkexec

Fedora and pkexec

Posted Feb 3, 2022 7:22 UTC (Thu) by eru (subscriber, #2753)
Parent article: Fedora and pkexec

I wonder about that IPC approach. How does the server end of the IPC know the client is authorised to ask what is asks?

to post comments

Fedora and pkexec

Posted Feb 3, 2022 8:13 UTC (Thu) by NYKevin (subscriber, #129325) [Link] (2 responses)

I haven't checked, but I would be completely astonished if the answer did not somehow involve SCM_CREDENTIALS and/or SO_PEERCRED over unix(7). That is the normal way of accomplishing this sort of thing.

(If you want something that works in a distributed/multi-node setup, then you have to use signatures and certificates. This requires solving a number of PKI-related problems, which are difficult but not insurmountable for an organization of reasonable means. Fortunately, polkit mostly doesn't get deployed in that fashion, to the best of my understanding.)

Fedora and pkexec

Posted Feb 3, 2022 14:30 UTC (Thu) by eru (subscriber, #2753) [Link]

Thanks. I have not programmed with these unix-domain sockets, so did not know they have this kind of feature.

Fedora and pkexec

Posted Feb 7, 2022 7:41 UTC (Mon) by joib (subscriber, #8541) [Link]

There are projects to extend the SO_PEERCRED kind of model to distributed setups like munge (https://dun.github.io/munge/ ), widely used in the HPC world. Yes, using crypto.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds