Re: Security
Hi.
On Sun, Jan 30, 2022 at 02:39:14PM +0100, Andrei POPESCU wrote:
> On Du, 30 ian 22, 15:54:17, Reco wrote:
> > On Mon, Jan 31, 2022 at 01:36:06AM +1300, Richard Hector wrote:
> > > On 29/01/22 04:17, Vincent Lefevre wrote:
> > >
> > > > Servers shouldn't have pkexec installed in the first place, anyway.
> > > >
> > >
> > > libvirt-daemon-system depends on policykit-1.
> > >
> > > Should that not be on my (kvm) server either?
> >
> > Many years ago exactly this was disputed in #768376.
> > Long story short - the only reason libvirt-daemon-system depends on
> > policykit-1 is because GNOME users could be confused if it does not.
>
> As far as I can tell the Maintainer's stance (in 2014) was:
>
> Having polkit installed and doing nothing (for people switching to
> socke based permission checks) is IMHO a better service to our users
> than having all the bugs for people installing without recommends (and
> there are many of those)
>
>
> How does "people installing without recommends" translate to "GNOME
> users" is beyond me,
Easy. Look closely at two graphical frontends to libvirt they provide in
main archive.
Now ask yourself - would I need these on a server? Who would need to use
these?
> considering that GNOME users would have policykit-1
> installed anyway (as a dependency of GNOME) and they are much less
> likely to disable installation of Recommends in the first place.
Back in '14 that was not universal axiom. Things have changed since then
somewhat though.
> As written in message #80 circumstances have changed, maybe the
> Maintainer will reconsider.
Possibly, although unlikely. I mean, it was a wishlist priority bug,
after all.
My point in all this - PolicyKit was redundant on a typical server back
then, and by large it still is. Even if your server has libvirt,
although in this case some assembly is required.
Reco
Reply to:
- References:
- Security
- From: Polyna-Maude Racicot-Summerside <debian@polynamaude.com>
- Re: Security
- From: Nate Bargmann <n0nb@n0nb.us>
- Re: Security
- From: Andrei POPESCU <andreimpopescu@gmail.com>
- Re: Security
- From: Nicholas Geovanis <nickgeovanis@gmail.com>
- Re: Security
- From: Vincent Lefevre <vincent@vinc17.net>
- Re: Security
- From: Richard Hector <richard@walnut.gen.nz>
- Re: Security
- From: Reco <recoverym4n@enotuniq.net>
- Re: Security
- From: Andrei POPESCU <andreimpopescu@gmail.com>