Talk:Polkit

Name Change
There's a [by whom?] tag on the sentence "Since version 0.105, released in 2015[2] the name of the project was changed[by whom?] from PolicyKit to polkit [..]". This seems completely unnecessary to me. It is obvious that when a project changes its name, the name was changed "by" the project. There's no good way to ascribe a group decision like that to any individual, nor do I see what the point would be of doing so. If there's no arguments against it, I'm going to remove that tag.


 * Either the name change is not universal or there is a fork. Debian has policykit-1 and no polkit. John Talbut (talk) 14:43, 13 April 2018 (UTC)


 * Debian dosn't ship updates that break backward compatibility. So there is a "grave"-Bug in PolKit that it breaks backward compatibility. As long as there is no solution for this problem like migration scripts debian will likely stay on the old PolicyKit version. IMHO it dosn't hurt. Changes where appreciated mostly by the devs themselves not so much by most users or admins who have to migrate all their scripts and have to learn another not very easy to (securely) master language. --2001:7C0:3006:301D:921B:EFF:FEE0:7EBB (talk) 09:23, 7 August 2020 (UTC)

Details
This desparately needs expansion with more details, as well as a tie-in to other related articles and how-to links. It is missing a connection to basic authorization and permissions articles. - KitchM (talk) 02:54, 7 March 2010 (UTC)

Linus Torvalds about polkit
"Whoever moron thought that it's "good security" to require the root password for everyday things like this is mentally diseased." https://plus.google.com/+LinusTorvalds/posts/1vyfmNCYpi5 — Preceding unsigned comment added by 144.85.187.234 (talk) 19:34, 9 November 2012 (UTC)


 * It's definitely a design intended for easy desktop use by beginner users, and possibly partly inspired from systems like Apple/NetBSD kauth and other MAC (Mandatory Access Control) and java policies, but limited to a higher level scope. Seasoned unix sysadmins and systems programmers may consider this pervasive (like sudo, extensive setuid usage, and to some extent, dbus, RPC with privilege separation, xrandr, etc), to be a type of "controled privilege escalation" or "controled security hole", even if it's poked though some preferences (which might also be security-suboptimal using the distribution-supplied defaults).  This is information which could be added, but we also need to find references and properly present this in an objective enough way that does not sound too much like a rant :)  76.10.128.192 (talk) 02:04, 29 March 2013 (UTC)

Last revert
This one: [Nov 8, 2021, 24:42]; may be rescued. It has valuable information. Best. AXO NOV (talk) ⚑ 08:51, 27 January 2022 (UTC)

Logged-in
- «‎Vulnerability: Logged-in is not necessary and not cited by the primary refs could be a cron job, etc). Non-technical newspaper ref is redundant and just copied from primary authority refs already cited. Citations needed are plainly given in the existing refs.»
 * I propose we keep WP:SECONDARY source. I don't think it's redundant. Root that runs cron job daemon is not assumed to be malicious user in first place.

AXO NOV (talk) ⚑ 09:52, 27 January 2022 (UTC)
 * The secondary source is very poorly written in that is just a general news article lifting statements from other technical sources without comprehension. There are numerous ways that a user can run processes without being logged in, so logged-in is not necessary.  The news-writer doesn't seem to understand that you can be logged-in, but don't have to be. This is why none of the primary sources even mention logged-in. Richard J Kinch (talk) 10:03, 29 January 2022 (UTC)

Citation already given, not needed
I have removed the citation-needed tags placed by because the existing citations are literally stating these factors. The qualys.com ref says, "This vulnerability has been hiding in plain sight for 12+ years and affects all versions of pkexec since its first version in May 2009". The zdnet.com ref says, "An unprivileged local user can exploit this vulnerability to get full root privileges. Although this vulnerability is technically a memory corruption, it is exploitable instantly and reliably in an architecture-independent way. And, last but not least, it's exploitable even if the polkit daemon itself is not running." Richard J Kinch (talk) 10:03, 29 January 2022 (UTC)
 * No citations given. You are supposed to provide them per every statement I've requested sources for. Put zdnet sources after statements, don't simply remove tags. Regards. AXO NOV  (talk) ⚑ 10:26, 29 January 2022 (UTC)
 * The identical cite is to be repeated at the end of every sentence in a paragraph? That can't be a proper style. You can draw more than one statement from a single ref. The first sentence gets the ref; the others not.  Please refer me to the Manual of Style if I am mistaken. Richard J Kinch (talk) 15:55, 29 January 2022 (UTC)
 * WP:PROVEIT AXO NOV  (talk) ⚑ 16:20, 29 January 2022 (UTC)
 * I quoted the citations above, precisely the citations which I have inserted inline in the article. Richard J Kinch (talk) 03:40, 31 January 2022 (UTC)
 * Citations should be given after a statement, not just before even if it's relevant. AXO NOV  (talk) ⚑ 08:42, 1 February 2022 (UTC)
 * The lead sentence in a paragraph giving the citation once is sufficient. Follow-on sentences in the same paragraph do not need redundant refs that just repeat what a previous sentence gave. Otherwise every sentence in the encyclopedia is going to be cluttered with redundant ref's. You can write one or more paragraphs based on a single citation and ref, with any number follow-on statements that expand on details. Perhaps you're confusing "citations" with "references". The citation-needed tag (WP:FAILV) is for statements lacking citations, which is not at all the case here where every statement is well sourced. Richard J Kinch (talk) 10:43, 2 February 2022 (UTC)