pkexec vs kdesu

[Harald Sitter]

On Sun, Nov 23, 2014 at 4:50 PM, David Edmundson
<david at davidedmundson.co.uk> wrote:
> That said, polkit is totally the way forward and anything using kdesu should
> be ported.

I think the biggest concern is our custom desktop entry allowing *any*
third party developer to leverage the power of kdesu and easily
elevate their entire application into su mode, which is bad in of
itself, it's worse considering that we allow anyone to do it as long
the user authorizes the elevation (which given the sparseness of
kdesu's dialog I am not sure most user even understand).

There's three ways to move forward on this.

1) X-KDE-SubstituteUID would be implemented through pkexec, assuming
pkexec somehow gains the ability to pass GUI env vars along without
requiring an explicit policy file per application.

2) X-KDE-SubstituteUID would still use kdesu but kdesu gets turned
into a GUI based on polkit (i.e. kdesu becomes an alternative to
pkexec) implementing what we need/want in a safe fashion.

3) X-KDE-SubstituteUID gets deprecated, dropped with frameworks 6 in
the future, and applications are expected to implement privilege
elevation themselves.

Number 3 to be honest sounds loveliest to me. Passing the entire
environment along is a security concern, passing parts of it along is
less of a concern, passing heavily selective parts along is even less
of a concern.

If an application developer thinks their application needs to be
entirely run with elevated privileges and they can make it work
properly within the confines of pkexec's environment, then the
solution is but a policy file and `Exec=pkexec foo` away. If not, then
they probably shouldn't run the entire application elevated anyway.

HS