questions about pkexec
David Zeuthen
david at fubar.dk
Mon Nov 30 08:53:46 PST 2009
On Sat, 2009-11-28 at 01:32 +0300, Vladislav Zavjalov wrote:
> Is there a reason why pkexec is a suid root helper now,
> not a client-mechanism pair (as proposed for such purposes
> in the polkit manpage)?
Simply because there is not benefit of splitting this into a
daemon/client - I mean, all that pkexec does is to exec a process after
checking for authorization - it's really not a lot of code.
> Do you plan to allow pkexec to work with X11 programs,
Kinda-sorta - to be honest I'm still on the fence on this.
On one side, modern distros shouldn't ship apps needing this - I even
think Fedora's default install (except for the installer maybe) doesn't
have any left.
On the other side there's a bunch of programs that need this and asking
people to log in as root (via e.g. fast-user-switching) isn't really a
satisfying answer.
So I don't really know.
FWIW, this topic is discussed in this bug
https://bugs.freedesktop.org/show_bug.cgi?id=23673
which references https://bugs.freedesktop.org/show_bug.cgi?id=17970#c26
that has a lot of discussion about this - specifically to make things
appear to work you need to also allow the uid0-app to communicate with
the session bus. Tough problem.
> obtaining trusted X11 environment from the ConsoleKit
> session?
I'm not sure exactly what this means.
Thanks,
David
More information about the polkit-devel
mailing list