Announcement

Collapse
No announcement yet.

Fedora 37 Looks To Make pkexec Optional For Improved Security

Collapse
X
Collapse
 
  • Page of 3
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 2 3 template Next
  • #21
    Originally posted by cl333r View Post

    Yeah, I get the overall picture, but it's strange to me that while all other software (including the Linux kernel and all browsers) regularly fix security holes yet nobody is trying to replace them, or drop them by default.
    Because pkexec is nowhere comparable to the Linux kernel or a browser obviously. I don't get your confusion at all.

    Comment

    • #22
      Originally posted by cl333r View Post
      Yeah, I get the overall picture, but it's strange to me that while all other software (including the Linux kernel and all browsers) regularly fix security holes yet nobody is trying to replace them, or drop them by default.
      When security issues exist, browsers most certainly do disable support. For example, most browsers have started to implement a local CORS policy to block vulnerabilities.
      • Likes 1

      Comment

      • #23
        Originally posted by RahulSundaram View Post

        In general, the issue isn't that Linux counterparts are terrible, the issue is that the Linux development model is much more distributed, it is not a single operating system managed by one entity, its a plethora of solutions that are managed by different possibly competing interests with different use cases that they want to manage. Distributed development models lead to less fundamental forks like in the BSD space but it can take a while to find a leading solution and in some cases, there isn't a strong leading contender and we live with multiple solutions. There are just different tradeoffs to different models of development. Copying viable solutions is a good thing and it happens across the board.
        You can do all these things with systemd service units. No need to change anything in the application, no matter if it's C, C++, Python or Bash based.

        If you want to give an application a single capability that normally require root, just use CapabilityBoundingSet.

        Limit access to filesystem is controlled by InaccessiblePaths, ReadOnlyPaths, ReadWritePaths, ProtectSystem, ProtectHome, etc.

        See more here:

        systemd.exec
        https://www.freedesktop.org/software/systemd/man/systemd.exec.html


        Basically you can do anything containers can and much more with systemd.

        Comment

        • #24
          Originally posted by baxeno View Post

          You can do all these things with systemd service units. No need to change anything in the application, no matter if it's C, C++, Python or Bash based
          ...
          Basically you can do anything containers can and much more with systemd.
          I introduced systemd in Fedora and was the original maintainer for a while, so I am very well aware of systemd capabilities, however it is incorrect to say application level privilege separation need not exist because systemd has some related security hardening features. They work at different levels and it is better to have both.

          • Likes 2

          Comment

          Previous 1 2 3 template Next
          Working...
          X