NixOS · dasJ · Jan 28, 2022
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
@@ -228,6 +228,14 @@
           removed due to it being an outdated version.
         </para>
       </listitem>
+      <listitem>
+        <para>
+          The polkit module now disables the <literal>pkexec</literal>
+          setuid wrapper by default because it introduces an additional
+          attack surface. It can be re-enabled using
+          <literal>security.polkit.enablePkexec</literal>.
+        </para>
+      </listitem>
       <listitem>
         <para>
           The <literal>mailpile</literal> email webclient

diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md
@@ -78,6 +78,8 @@ In addition to numerous new and upgraded packages, this release has the followin
 
 - `services.kubernetes.addons.dashboard` was removed due to it being an outdated version.
 
+- The polkit module now disables the `pkexec` setuid wrapper by default because it introduces an additional attack surface. It can be re-enabled using `security.polkit.enablePkexec`.
+
 - The `mailpile` email webclient (`services.mailpile`) has been removed due to its reliance on python2.
 
 - The MoinMoin wiki engine (`services.moinmoin`) has been removed, because Python 2 is being retired from nixpkgs.

diff --git a/nixos/modules/programs/gamemode.nix b/nixos/modules/programs/gamemode.nix
@@ -53,7 +53,10 @@ in
     };
 
     security = {
-      polkit.enable = true;
+      polkit = {
+        enable = true;
+        enablePkexec = true;
+      };
       wrappers = mkIf cfg.enableRenice {
         gamemoded = {
           owner = "root";

diff --git a/nixos/modules/security/polkit.nix b/nixos/modules/security/polkit.nix
@@ -18,6 +18,8 @@ in
       description = "Whether to enable PolKit.";
     };
 
+    security.polkit.enablePkexec = lib.mkEnableOption "the pkexec setuid binary";
+
     security.polkit.extraConfig = mkOption {
       type = types.lines;
       default = "";
@@ -83,7 +85,7 @@ in
     security.pam.services.polkit-1 = {};
 
     security.wrappers = {
-      pkexec =
+      pkexec = lib.mkIf cfg.enablePkexec
         { setuid = true;
           owner = "root";
           group = "root";