On Wed, 14 Dec 2016, Samuel Williams wrote: [...]
The nice thing about sudo is that it is a general framework that is well tested, well documented, and works everywhere... polkit, less so. Even with the best of intentions, looking at how well people have managed to script security features (e.g. look at the whole ethereum contract fiasco), stuff in that PR makes me a bit worried. What's the chance someone screws up a security rule? JavaScript is only a small step up from PHP in terms of semantic rigour, so I'd be concerned about that too.
Well, given I opened the PR, I'd hope the chance is very low -- at least, no more than sudo. At least the JavaScript is given a minimal standard library, it's sandboxed and run as an unprivileged user. :-p
I always think the problem with sudo is that it turns "mere bugs" into security vulnerabilities. systemctl was designed to be run both by root and by users -- but if there's a bug in it, then such a bug does not on its own grant users any more privileges than they would have normally. It wasn't designed to be run _as_ root _by_ a user; so using systemctl through sudo is effectively using it outside its design parameters.
Anyhow, this isn't really the right time or place to discuss sudo vs other authentication frameworks. I'm afraid I don't have any better suggestions though.
- Michael _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel