Fedora and pkexec

Posted Feb 14, 2022 11:15 UTC (Mon) by cortana (subscriber, #24596)
In reply to: Fedora and pkexec by mjg59
Parent article: Fedora and pkexec

You could have an acl on the socket and add them to that for the duration of their login period, but then we're already outside traditional Unix permissions and also they could just open the socket with a process that survives them logging out, and given there's no revoke() syscall in Linux you can't take that away from them.

As an aside, I have always wondered if the way udev grants console users access to uaccess-tagged devices is vulnerable to this problem.

$ getfacl -p /dev/snd/pcmC0D0p
# file: /dev/snd/pcmC0D0p
# owner: root
# group: audio
user::rw-
user:sam:rw-
group::rw-
mask::rw-
other::---

I presume that if I lock my screen, my processes will still have access to the audio/video devices and I could use them to spy on the next user who logs in...