Not Passing any Info from user to sysmaint (NetworkManager) (polkit)

nurmagoz · December 11, 2025, 9:04am

The ability of passing information from user session to sysmaint session can be used maliciously.

Scenario in my head is that the NetworkManager if configured under user session the same info will be passed to sysmaint, what if the info passed will not be x.x.x.x IP but instead sudo 123?

So user/s sessions shall not pass information of their changes to sysmaint to avoid such scenario.

Patrick · December 11, 2025, 1:17pm

Unfortunately, this is not easy to implement at all. It would require disabling polkit in user session. But this is a technical challange. There are many Issues when disabling Polkit. References:

Polkit (developer documentation)
Polkit (formerly PolicyKit) / pkexec (user documentation)
Investigate security (SUID) impact of polkitd and policykit libraries (development discussion)

Future Kicksecure development roadmap:

Polkit might no longer run by default in user session.

We might run polkit only in sysmaint session by default.