Mastodawn

Critical vulnerabilities were disclosed in InputPlumber affecting Linux systems, including SteamOS.

Impact highlights:
• Insufficient D-Bus authorization
• Potential keystroke injection via virtual devices
• Local denial-of-service and information exposure

The fixes emphasize secure Polkit usage, systemd hardening, and proper privilege boundaries.

Share insights and follow @technadu for vendor-neutral security reporting.

#InfoSec #LinuxHardening #VulnerabilityResearch #Polkit #D-Bus #OpenSourceSecurity

OSTechNix Dec 30

Linux permissions go beyond chmod. Learn how groups, sudo, and modern policy systems control services, reboot, and system-level authority.

More details here: https://ostechnix.com/linux-permissions-privileges-groups-sudo/

#LinuxPermissions #LinuxPrivileges #LinuxSecurity #Linuxadmin #Linuxcommands #Linuxhowto #sudo #Polkit #Systemd

Linux Permissions and Privileges Explained: Groups, sudo, and System Control - OSTechNix

Linux permissions go beyond chmod. Learn how groups, sudo, and modern policy systems control services, reboot, and system-level authority.

OSTechNix

jik Dec 20

This is how to make the “Install pending software updates” checkbox go away in GNOME

If you’re using GNOME, and when you tell it you want to shut down or reboot your system it pops up a confirmation dialog with an “Install pending software update” checkbox in it, and the checkbox is checked by default, and you want to make that checkbox go away or at least be unchecked by default, then you’ve come to the right place.

There’s no perfect way to do this. Below I talk about two imperfect solutions that are available. If you think there should be an easier way, feel free to weigh in here. The GNOME developers are skeptical that anyone wants or needs this, but maybe if enough people ask for it they will reconsider.

Imperfect solution one: Open the preferences for the GNOME Software app and change “Software Updates” there from “Automatic” to “Manual”. Caveats:

This may only work on systems, such as Fedora-based systems, where PackageKit uses a separate update cache from the system. On APT-based systems (Debian, Ubuntu, and the like), where it appears that PackageKit uses the same update cache as the underlying APT system (as it should!), then when the updates are downloaded outside of GNOME Software, you may still see the checkbox.
If there were already updates downloaded before you switched from Automatic to Manual, you will get the checkbox. You need to install those updates (either through GNOME Software or with DNF or APT or whatever) and then refresh the GNOME Software Updates tab to make them go away there.
If you check for updates in the GNOME Software app manually and then click the Download button, you will probably get the checkbox the next time you try to shut down or restart.

Imperfect solution two: Create the file /etc/polkit-1/rules.d/99-disable-offline-update.rules, owned by user “root” and group “polkitd”, with the following contents:

polkit.addRule(function(action, subject) {
 if ((action.id == "org.freedesktop.packagekit.trigger-offline-update")) {
  return polkit.Result.NO;
 }
});

Caveat: This will disable all attempts to trigger offline updates, not just the checkbox that shows up when you try to shutdown or restart your system. This means, for example, that you won’t be able to trigger “Restart and install…” updates from inside the GNOME Software app either.

#GNOME #PackageKit #Polkit

Please give us a way to disable the "Install pending software updates" checkbox in the restart and shutdown popups (#8920) · Issues · GNOME / gnome-shell · GitLab

There are people all over the internet asking, "How do I disable the "Install pending software updates" checkbox when I tell GNOME to shutdown or restart?

GitLab

Klaus Frank Nov 2

I hate debugging issues related to #polkit and #systemd. Neither of them generates logmessages when shit fails and for neither of them you get useful error messages.

And you also can't just strace systemd without first setting up a minimalisting test system as otherwise you'll obviously never find what you're looking for in all of the output spam...

It could be so easy if either of these would log more than just "Access denied" (when executed as root at least...)

Benny Powers 🇮🇱🦁Oct 24

🚀 quickshell-polkit-agent v2.0.0 is out!

Major architectural overhaul: switched from proactive FIDO detection to a PAM-reactive model. The agent now responds to PAM prompts instead of trying to control auth flow.

✨ What's new:
• GDM-inspired authentication state machine
• 22 integration tests with 100% pass rate
• Podman-based E2E testing infrastructure
• Rich error handling & state tracking APIs
• Performance optimizations (<2ms state transitions)

🔧 Breaking changes:
• Removed auto-FIDO logic (now handled by PAM/pam_u2f)
• Simplified state machine (no more TRYING_FIDO states)
• Cleaner authentication flow: IDLE → INITIATED → WAITING_FOR_PASSWORD → AUTHENTICATING → COMPLETED

🐛 Fixed use-after-free bugs, race conditions, and timeout issues

github.com/bennypowers/quickshell-polkit-agent/releases/tag/v2.0.0

#Linux #Polkit #Qt6 #Authentication #FIDO2 #Quickshell #Gentoo

Release v2.0.0 - PAM-Reactive Architecture · bennypowers/quickshell-polkit-agent

v2.0.0 - PAM-Reactive Architecture 🎯 Major Changes Architecture Simplification This release fundamentally changes how the polkit agent handles authentication, shifting from a proactive FIDO-detecti...

GitHub

Philip Withnall Oct 14

Today’s side quest involved allowing polkit policy files to be validated at build time using `xmllint`: https://github.com/polkit-org/polkit/pull/601

#polkit #XML #freedesktop

data: Install an XML catalog to define the policyconfig DTD in by pwithnall · Pull Request #601 · polkit-org/polkit

This allows tools like xmllint to look up the installed copy of the DTD using its public ID, which allows offline validation of policyconfig files in third-party projects without having to have net...

GitHub

The Linux Lighthouse Aug 20

Linux Security EXPOSED! The Truth About polkit on openSUSE Tumbleweed

https://www.youtube.com/watch?v=cFSVEdrCWwM

#opensuse #opensuseleap #opensusetumbleweed #leap #tumbleweed #microos #slowroll #aeon #leapmicro #suse #sysadmin #linux #LinuxSecurity #Polkit #LinuxTutorial #SystemAdministration #PolicyKit #SysAdmin #JavaScript #LinuxTips #DesktopLinux

Linux Security EXPOSED! The Truth About polkit on openSUSE Tumbleweed

YouTube

raptor

Aug 7

A couple notable related writeups

A great primer on #dbus and #polkit that clearly shows how brittle they are
https://u1f383.github.io/linux/2025/05/25/dbus-and-polkit-introduction.html

An amazing #linux #kernel #vulnerability research and #exploit development writeup
https://ssd-disclosure.com/ssd-advisory-linux-kernel-hfsplus-slab-out-of-bounds-write/

DBus and Polkit Introduction

Inspired by @4ttil4sz1a’s post on the SSD-disclosure blog, I spent some time understanding how D-Bus and Polkit work on Ubuntu and other Unix-based Linux distributions, with the goal of exploring more kernel attack surfaces.

Blog