--- Comment #37 from Hrvoje Senjan firstname.lastname@example.org 2014-07-16 11:03:05 UTC --- (In reply to comment #33)
The problem in KAuth is that due to the layers there is no way to determine who actually is trying to authenticate the polkit action. The dbus sender is not available that should be used for this. And getuid() might be misleading because its already running as root due to DBUS activation on behalf of the user we want to authenticate.
If the (potential) vulnerability is in case of SUID helpers, we can have this case closed. As i wrote somewhere above, Qt, since 5.3, aborts action if the Q*Application is SUID. Applications can explicitly override this, but i am happy to add a patch to our Qt5 packages that would also disallow even that.