'Re: CVE-2021-4034: why is pkexec still a thing?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       fedora-devel-list
Subject:    Re: CVE-2021-4034: why is pkexec still a thing?
From:       Adam Williamson <adamwill () fedoraproject ! org>
Date:       2022-01-31 19:39:38
Message-ID: e63a2c28b6dbdf8546ba9e82389d3d4e38eb2ab6.camel () fedoraproject ! org
[Download RAW message or body]

On Mon, 2022-01-31 at 16:00 +0100, Miroslav Suchý wrote:
> Dne 27. 01. 22 v 0:18 Adam Williamson napsal(a):
> > BTW, bonus follow-up to this: as part of researching the background of
> > polkit, I noticed that we never actually entirely got done moving off
> > usermode:(  There are still over a dozen packages in the distro that
> > require it:
> 
> Moving off to where?

To polkit, was the original intention. That's what the Feature says:
https://fedoraproject.org/wiki/Features/UsermodeMigration

> FYI there is tracking bug
> 
> [Tracker] Deprecate consolehelper and switch apps to use PolicyKit 1 for Fedora 12
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=502765

Yes, I know, it's the tracker bug for the above feature :)
> 
> but lots of the bugs are closed as DEFERED or WONTFIX.

Yes, I know, check who closed them and when ;) Several of them were
"me, last week". But there are several I had to leave open because I
verified the package was still in the distro and still using
consolehelper, and several tools for which either a bug was never
filed, or it was closed without the migration being done, or they
started using consolehelper later.
> 
> I tried to migrate Mock out of consolehelper
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=502749
> https://github.com/rpm-software-management/mock/issues/684

Aha, mock was actually the big one on the list that I wondered about,
so thanks for filling that in.
> 
> but very soon I discovered that documentation of PolicyKit is nearly non-existent. \
> At least, it is not sufficient to do  the migration. After reading the code I found \
> that it is likely missing functionality of consolehelper. 
> I had a discussion with maintainer of PolicyKit and we both come conclusion that \
> PolicyKit stopped in the middle of  nowhere and for me and Mock is better to stay \
> with consolehelper. 
> Does the situation have changed?

I don't know. I can't tell from the above what documentation or
functionality you're missing, and that info doesn't seem to be in the
ticket or bug you linked either (except a very vague mention of needing
"to handle ENV".) I don't know when your conversations and research
took place, so it's hard to say what's changed since.

polkit's maintainer has changed twice (I think) since the time this
feature was introduced, it's currently Jan Rybar. The current polkit
documentation is at
https://www.freedesktop.org/software/polkit/docs/latest/ .
-- 
Adam Williamson
Fedora QA
IRC: adamw | Twitter: adamw_ha
https://www.happyassassin.net

_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
 Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic