Fedora and pkexec

Posted Feb 18, 2022 11:29 UTC (Fri) by farnz (subscriber, #17727)
In reply to: Fedora and pkexec by CodingVoid
Parent article: Fedora and pkexec

As an example of where the local process over UNIX Domain Sockets approach is strictly better than the library approach: there are ways to authenticate via a remote RADIUS server where I use machine secrets to establish an encrypted session with the remote server, and then send the user's credentials over that tunnel. If you do this via a library, then all processes on the system that need to authenticate need to be able to read the machine secrets, which implies that the machine secrets are world-readable. If, instead, you use a local process over a socket, that process can run as root, and the machine secrets need only be readable by root.