Skip to content

nixos/polkit: Disable pkexec by default#157120

Closed
dasJ wants to merge 1 commit intoNixOS:masterfrom
helsinki-systems:feat/disable-pkexec
Closed

nixos/polkit: Disable pkexec by default#157120
dasJ wants to merge 1 commit intoNixOS:masterfrom
helsinki-systems:feat/disable-pkexec

Conversation

@dasJ
Copy link
Member

@dasJ dasJ commented Jan 28, 2022

Motivation for this change

Reduce attack surface.
This is not really tested yet which is why it's a draft.

Things done
  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 22.05 Release Notes (or backporting 21.11 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
    • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
  • Fits CONTRIBUTING.md.

@github-actions github-actions bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: changelog This PR adds or changes release notes 8.has: documentation This PR adds or changes documentation 8.has: module (update) This PR changes an existing module in `nixos/` labels Jan 28, 2022
@dasJ dasJ requested a review from mweinelt January 28, 2022 10:43
@ofborg ofborg bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. labels Jan 28, 2022
@rnhmjoj
Copy link
Contributor

rnhmjoj commented Jan 28, 2022

Off the top of my head, this is used by:

  • xorg.xf86videointel to control backlight (if xf86-video-intel-backlight-helper is not setuid)
  • programs.gamemode
  • probably lots of GUI stuff from GNOME and KDE.

@mweinelt
Copy link
Member

mweinelt commented Jan 28, 2022
edited
Loading

Then they should be responsible for enabling it. 🤷 And by it I mean polkit in it's entirety, but we're still discussing details over in #156858.

@dasJ dasJ closed this Mar 27, 2022
@dasJ dasJ deleted the feat/disable-pkexec branch March 27, 2022 15:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kira-bruneau kira-bruneau Awaiting requested review from kira-bruneau

@disassembler disassembler Awaiting requested review from disassembler

@rnhmjoj rnhmjoj Awaiting requested review from rnhmjoj

@primeos primeos Awaiting requested review from primeos

@cole-h cole-h Awaiting requested review from cole-h

@zowoq zowoq Awaiting requested review from zowoq

@mweinelt mweinelt Awaiting requested review from mweinelt

Assignees

No one assigned

Labels

6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: changelog This PR adds or changes release notes 8.has: documentation This PR adds or changes documentation 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dasJ @rnhmjoj @mweinelt