From Fedora Project Wiki
m (Update)
(Change rejected by FESCo)
 
(6 intermediate revisions by 3 users not shown)
Line 5: Line 5:


== Owner ==
== Owner ==
* Name: [[User:Siosm| Timothée Ravier]]
* Name: [[User:Siosm| Timothée Ravier]], Jan Rybar
* Email: siosm@fedoraproject.org
* Email: siosm@fedoraproject.org, jrybar@redhat.com
<!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo)
<!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo)
* FESCo shepherd: [[User:FASAccountName| Shehperd name]] <email address>
* FESCo shepherd: [[User:FASAccountName| Shehperd name]] <email address>
Line 13: Line 13:
== Current status ==
== Current status ==
[[Category:ChangePageIncomplete]]
[[Category:ChangePageIncomplete]]
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
<!-- The Wrangler announces the Change to the devel-announce list and changes the category to Category:ChangeAnnounced (no action required) -->  
<!-- The Wrangler announces the Change to the devel-announce list and changes the category to Category:ChangeAnnounced (no action required) -->  
<!-- After review, the Wrangler will move your page to Category:ChangeReadyForFesco... if it still needs more work it will move back to Category:ChangePageIncomplete-->
<!-- After review, the Wrangler will move your page to Category:ChangeReadyForFesco... if it still needs more work it will move back to Category:ChangePageIncomplete-->
Line 30: Line 28:
ON_QA -> change is fully code complete
ON_QA -> change is fully code complete
-->
-->
* FESCo issue: <will be assigned by the Wrangler>
* [https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/5ICEGIHH6BPMHA5IALHL7RYZRV2BWYCF/ devel thread]
* FESCo issue: [https://pagure.io/fesco/issue/2766 #2766]
* Tracker bug: <will be assigned by the Wrangler>
* Tracker bug: <will be assigned by the Wrangler>
* Release notes tracker: <will be assigned by the Wrangler>
* Release notes tracker: <will be assigned by the Wrangler>
Line 36: Line 35:
== Detailed Description ==
== Detailed Description ==


`pkexec` and `pkla-compat` ([https://src.fedoraproject.org/rpms/polkit-pkla-compat package]) are legacy tools that are no longer needed on a desktop and increase the attack surface as they are SetUID binaries (`pkexec`) or not maintained anymore (`pkla-compat`).
The `pkexec` tool is an optional tool that is no longer required for the correct function of most server and desktop environments. This is also a SetUID binary.


This change will thus split `pkexec` from the polkit package and make it a recommended only sub-package. Similarly, it will make the polkit-pkla-compat package a recommended package too. This will enable users and desktop no longer relying on those features to avoid installing them. Users that still need those features will easily be able to install them.
The `polkit-pkla-compat` [https://src.fedoraproject.org/rpms/polkit-pkla-compat package] is a legacy compatibility package that is no longer maintained.
 
This change will split `pkexec` from the polkit package and make it a recommended-only sub-package. Similarly, it will make the `polkit-pkla-compat` package a recommended package too.
 
This will enable users and desktop no longer relying on those features to avoid installing them. Users that still need those features will easily be able to install them.
 
If we end up confident that we will not break the default user experience, we can make those packages fully optional so that they are not installed by default anymore.


See in progress PR: https://src.fedoraproject.org/rpms/polkit/pull-request/2
See in progress PR: https://src.fedoraproject.org/rpms/polkit/pull-request/2
Line 50: Line 55:
== Benefit to Fedora ==
== Benefit to Fedora ==


Increased security, less legacy software installed by default, moving to a more secure desktop by default.
Less SetUID binaries and less legacy software installed by default. Moving to a more secure desktop by default.


== Scope ==
== Scope ==
* Proposal owners:
* Proposal owners:
** Test as many desktop as possible and add the new dependencies for the packages requiring either pkla-compat rules support or pkexec.
** Test as many desktop environments as possible and add the new dependencies for the packages requiring either polkit-pkla-compat rules support or pkexec.
<!-- What work do the feature owners have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
<!-- What work do the feature owners have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->


* Other developers: <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Other developers:
<!-- What work do other developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
** Test as many desktop environments as possible and add the new dependencies for the packages requiring either polkit-pkla-compat rules support or pkexec.


* Release engineering: [https://pagure.io/releng/issues #Releng issue number] <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Release engineering: [https://pagure.io/releng/issues #Releng issue number] <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
Line 74: Line 79:
== Upgrade/compatibility impact ==
== Upgrade/compatibility impact ==


Nothing happens during upgrades for existing systems as the packages are still available and will be kept as is and the new pkexec package will be added for user not deselecting recommends.
Nothing should happen during upgrades for existing systems as the packages are still available and will be kept as is and the new polkit-pkexec package will be installed for users not deselecting recommends.


Only new installations that will not have those packages will be impacted and the risk of security issues with the pkla rules removal is low.
Only new installations that will not have those packages will be impacted and the risk of security issues with the pkla rules removal is low.
Line 80: Line 85:
== How To Test ==
== How To Test ==


Install the latest polkit, remove pkexec subpackage and pkla-compat package and ensure that your application and desktop environment are still working as intended.
# Install the polkit package from https://copr.fedorainfracloud.org/coprs/siosm/polkit/
# Remove the polkit-pkexec sub-package and polkit-pkla-compat package
# Ensure that your applications and desktop environment are still working as intended. Focus on applications that require privileges.


== User Experience ==
== User Experience ==

Latest revision as of 17:23, 5 April 2022

Make pkexec and pkla-compat optional

Summary

Split pkexec from the polkit package and make it a recommended only sub-package. Similarly, make the polkit-pkla-compat package a recommended package too. This will enable users and desktop no longer relying on those features to avoid installing them.

Owner

Current status

  • Targeted release: Fedora Linux 37
  • Last updated: 2022-04-05
  • devel thread
  • FESCo issue: #2766
  • Tracker bug: <will be assigned by the Wrangler>
  • Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

The pkexec tool is an optional tool that is no longer required for the correct function of most server and desktop environments. This is also a SetUID binary.

The polkit-pkla-compat package is a legacy compatibility package that is no longer maintained.

This change will split pkexec from the polkit package and make it a recommended-only sub-package. Similarly, it will make the polkit-pkla-compat package a recommended package too.

This will enable users and desktop no longer relying on those features to avoid installing them. Users that still need those features will easily be able to install them.

If we end up confident that we will not break the default user experience, we can make those packages fully optional so that they are not installed by default anymore.

See in progress PR: https://src.fedoraproject.org/rpms/polkit/pull-request/2

Feedback

Related discussion in https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/ZDZACAMG2E3P4K4P2CVBQ3XBBZ7CYSXA/#Q6EK5NXFV5GEMW3RFTXIWT4NVNDKYKLG

See in progress PR: https://src.fedoraproject.org/rpms/polkit/pull-request/2

Benefit to Fedora

Less SetUID binaries and less legacy software installed by default. Moving to a more secure desktop by default.

Scope

  • Proposal owners:
    • Test as many desktop environments as possible and add the new dependencies for the packages requiring either polkit-pkla-compat rules support or pkexec.
  • Other developers:
    • Test as many desktop environments as possible and add the new dependencies for the packages requiring either polkit-pkla-compat rules support or pkexec.
  • Policies and guidelines: N/A (not needed for this Change)
  • Trademark approval: N/A (not needed for this Change)
  • Alignment with Objectives:

Upgrade/compatibility impact

Nothing should happen during upgrades for existing systems as the packages are still available and will be kept as is and the new polkit-pkexec package will be installed for users not deselecting recommends.

Only new installations that will not have those packages will be impacted and the risk of security issues with the pkla rules removal is low.

How To Test

  1. Install the polkit package from https://copr.fedorainfracloud.org/coprs/siosm/polkit/
  2. Remove the polkit-pkexec sub-package and polkit-pkla-compat package
  3. Ensure that your applications and desktop environment are still working as intended. Focus on applications that require privileges.

User Experience

N/A

Dependencies

N/A

Contingency Plan

Revert the change.

Documentation

N/A (not a System Wide Change)

Release Notes

TODO

Retrieved from "https://fedoraproject.org/w/index.php?title=Changes/polkit_recommends_pkla_pkexec&oldid=640247"