Fedora 37 Looks To Make pkexec Optional For Improved Security

Following the nasty local privilege escalation vulnerability that was disclosed last month for Polkit's pkexec, Fedora developers are hoping to make pkexec optional later this year with Fedora 37.

A new change proposal was submitted this past week for splitting Pkexec from the Polkit package and also moving polkit-pkla-compat into its own sub-package too. Thus for Fedora 37 desktop users not needing Pkexec around, it can be avoided.

This move comes after the PwnKit disclosure from January for Pkexec allowing local privilege escalation. The issue can be easily exploited and allows unprivileged users to gain full root privileges.

Pkexec can be used for executing a command as another user but for programs needing root access there is ideally better ways to handle it rather than running the entire program as root.

Fedora's change proposal would make pkexec as an optional sub-package of Polkit. Pkexec isn't needed these days for the correct functionality on most servers and desktops. While there are patches since January to Pkexec, since it's less needed these days the hope is to simply avoid it where possible moving forward.