Hello all, a recent (mostly cosmetical) bug report [1] made me aware that we currently query polkit for a lot of systemctl enable/daemon-reload/etc. calls from package maintainer scripts. At least in Debian, installing a package with a .service usually does something like "systemctl enable/start foo", and installing a package with a SysV script runs "systemctl daemon-reload" to pick up the new init script.
In all those cases systemctl is guaranteed to run as root, and any potential interactive PK prompt would be totally unexpected -- because of root, and because package installation is supposed to be non-interactive and not hang. So this introduces a potentially unreliable moving part and also assumes that polkit actually works all the time (cf. package upgrades). My initial response was to propose some patches that all "systemctl" commands from maintainer scripts will be done with --no-ask-password. However, this would require rebuilding a lot of packages, and I would guess this affects other distribuions in some way too? A more upstreamable approach would be to not query polkit at all if geteuid() == 0. Is there any legit scenario where root would be denied running systemctl directly, but a polkit rule would allow it nevertheless? In such a scenario, is it really legit to get an interactive PK auth prompt for something like "systemctl enable foo" when installing package foo? Thanks for opinions, Martin [1] https://launchpad.net/bugs/1565617 -- Martin Pitt | http://www.piware.de Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)
signature.asc
Description: PGP signature
_______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel