comment

usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf

@@ -9,7 +9,19 @@
 /usr/bin/pkexec.security-misc-orig exactwhitelist
 
 ## TODO: research
-## match both:
-#/usr/lib/policykit-1/polkit-agent-helper-1 matchwhitelist
-#/lib/policykit-1/polkit-agent-helper-1
+## TODO: Should be handled in user-sysmaint-split?
+##
+## Required for PolicyKit (Polkit) to function.
+##
+## https://polkit-devel.freedesktop.narkive.com/zXO4yEg7/documentation-on-polkit-agent-helper-1-and-suid#
+## https://gitlab.freedesktop.org/polkit/polkit/-/issues/168
+## https://cgit.freedesktop.org/polkit/tree/src/polkitagent/polkitagenthelper-pam.c#n93
+##
+## Changing permissions here may break more than just normal privilege escalation.
+## May be safe to disable for users other than sysmaint similar to what was done with pkexec and sudo,
+## however even that might not be safe.
+##
+## matches both:
+## - /usr/lib/policykit-1/polkit-agent-helper-1
+## - /lib/policykit-1/polkit-agent-helper-1
 polkit-agent-helper-1 matchwhitelist