The SUSE security team reviews D-Bus services and Polkit policies in openSUSE distributions. They were approached by openSUSE KDE packagers for an upcoming KDE6 release, which required adjustments to whitelistings due to changes. The D-Bus system allows remote procedure calls, while Polkit grants authorization for specific actions. Security risks in D-Bus and Polkit setups include potential authentication issues and privilege escalations. The KDE KAuth Framework, a KDE abstraction layer, faced security flaws in the past. Legacy fontinst D-Bus service issues involved risky file operations and a lack of granularity in authorization. Development of D-Bus services should consider the implications of Polkit settings and authentication requirements.
https://security.opensuse.org/2024/04/02/kde6-dbus-polkit.html