pkexec
is used internally by a bunch of applications like cannot use pkexec - #3 by AnonymousUser
Yes, SUID in sudo
should stay.
Yes, the commands are executed in order so as long as the sudo
line is below the lines that remove SUID, we’ll be fine.
We can create a /etc/permission-hardening.d/
directory for configuration snippets. Maybe create a systemd service to create /etc/permission-hardening.d/no-sudo.conf
or similar.