rpms / polkit

Clone
Source Code
GIT

#2 Make polkit-pkla-compat a Recommends
Closed 7 months ago by siosm. Opened 2 years ago by siosm.
rpms/ siosm/polkit pkle-recommends  into  rawhide

file modified
+26 -4 
@@ -6,7 +6,7 @@ 
 

  Summary: An authorization framework
 

  Name: polkit
 

  Version: 0.120
 

- Release: 3%{?dist}
 

+ Release: 4%{?dist}
 

  License: LGPLv2+
 

  URL: http://www.freedesktop.org/wiki/Software/polkit
 

  Source0: http://www.freedesktop.org/software/polkit/releases/%{name}-%{version}.tar.gz
 
@@ -31,9 +31,15 @@ 
 

  BuildRequires: libtool
 

  %endif
 

  

- Requires: dbus, polkit-pkla-compat
 

+ Requires: dbus
 

  Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 

  

+ # Compatibilty with pkexec depending applications
 

+ Recommends: polkit-pkexec
 

+ 

+ # Compatibilty with pkla file format from polkit <= 0.105
 

+ Recommends: polkit-pkla-compat
 

+ 

  Requires(pre): shadow-utils
 

  Requires(post): systemd
 

  Requires(preun): systemd
 
@@ -60,6 +66,12 @@ 
 

  used for allowing unprivileged processes to speak to privileged
 

  processes.
 

  

+ %package pkexec
 

+ Summary: pkexec SetUID binary for legacy polkit support
 

+ 

+ %description pkexec
 

+ pkexec SetUID binary for legacy polkit support.
 

+ 

  %package devel
 

  Summary: Development files for polkit
 

  Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 
@@ -135,7 +147,9 @@ 
 

  

  %files -f polkit-1.lang
 

  %doc COPYING NEWS README
 

- %{_datadir}/man/man1/*
 

+ %{_datadir}/man/man1/pkaction*
 

+ %{_datadir}/man/man1/pkcheck*
 

+ %{_datadir}/man/man1/pkttyagen*
 

  %{_datadir}/man/man8/*
 

  %{_datadir}/dbus-1/system.d/org.freedesktop.PolicyKit1.conf
 

  %{_datadir}/dbus-1/system-services/*
 
@@ -155,9 +169,13 @@ 
 

  %{_prefix}/lib/polkit-1/polkitd
 

  

  # see upstream docs for why these permissions are necessary
 

- %attr(4755,root,root) %{_bindir}/pkexec
 

  %attr(4755,root,root) %{_prefix}/lib/polkit-1/polkit-agent-helper-1
 

  

+ %files pkexec
 

+ # see upstream docs for why these permissions are necessary
 

+ %attr(4755,root,root) %{_bindir}/pkexec
 

+ %{_datadir}/man/man1/pkexec*
 

+ 

  %files devel
 

  %{_libdir}/lib*.so
 

  %{_libdir}/pkgconfig/*.pc
 
@@ -176,6 +194,10 @@ 
 

  %{_libdir}/girepository-1.0/*.typelib
 

  

  %changelog
 

+ * Mon Feb 14 2022 Timothée Ravier <tim@siosm.fr> - 0.120-4
 

+ - Make polkit-pkla-compat a Recommends
 

+ - Move pkexec to a subpackage with a Recommends
 

+ 

  * Wed Jan 26 2022 Timothée Ravier <tim@siosm.fr> - 0.120-3
 

  - Fix for CVE-2021-4034

polkit-pkla-compat has an old style /var /etc split (instead of /usr &
/etc) and is not needed anymore in most cases. Making it Recommends
keeps it installed and available by default, until we formally decide to
drop support for it, while enabling users to test removing it.

(I’m no longer working in this area and this is clearly not my decision.)

IMHO making polkit-pkla-compat optional is seriously risky. The configuration can contain “if user=foo deny” entries, and silently ignoring those configuration files can break the security of the system. Is that risk ever worth the 84 kB, or whatever the cost is? If the process creation overhead is too much, integrate the code back into the main polkit process.

I don’t know that there is a reasonable migration path for dropping support for the old config format at all: the most plausible might be to just drop the support without any kind of optionality, and refuse any non-root polkit actions if any old-format configuration exists, forcing the administrators to migrate before allowing any unprivileged users. OTOH would certainly break some users and it would make it hard for them to recover other than wipe+reinstall.

And from yet another perspective, various users are (rightly) unhappy with the user of JavaScript with the new rules. If JavaScript were ever to be removed (the migration path concern is exactly the same, and) what would be the alternative? Returning to the old polkit-pkla-compat syntax seems one of the most plausible candidates, IIRC it would save Debian from any migration pain, at least.

OK, those are valid points, so I think we need a more broad discussion and probably a Change Request so I will work on that. Thanks for the feedback.

rebased onto 4c995b2
2 years ago

silently ignoring those configuration files can break the security of the system

Oops, that sounds like a blocker for this feature.

Closing as the Change Request has been rejected: https://fedoraproject.org/wiki/Changes/polkit_recommends_pkla_pkexec

Pull-Request has been closed by siosm
7 months ago
Metadata
None
No Tags
Changes Summary 1
+26 -4
file changed
polkit.spec
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.